Source
ghsa
### Summary There is an open redirect in the `@keystone-6/auth` package, where the redirect leading `/` filter can be bypassed. ### Impact Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location. ### Mitigations - Don't use the `@keystone-6/auth` package ### References - [CWE-601: URL Redirection to Untrusted Site ('Open Redirect')](https://cwe.mitre.org/data/definitions/601.html) - [OWASP: Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) #### Similar Vulnerability Reports - [CVE-2023-0748](https://nvd.nist.gov/vuln/detail/CVE-2023-0748) - [CVE-2022-2252](https://nvd.nist.gov/vuln/detail/CVE-2022-2252) #### Credits Thanks to [morioka12](https://github.com/scgajge12) for reporting this problem. If you have any questions around this security advisory, please don't hesitate to contact us at [sec...
Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to an OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the `File.createTempFile()` function at `/core/io/FileUtil.java`.
CraftCMS is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution.
### Impact As a part of this vulnerability, user was able to se code using `__proto__` as a tag or attribute name. ```js const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hacked ``` ### Patches The problem has been patched in v4.1.2 ### Workarounds User can check for "__proto__" in the XML string before parsing it to the parser. ### References https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
Please note this advisory is for a historical preexisting issue in the legacy server from 2018. It has long since been triaged. It is being moved here for visibility. The text below is copied from the original issue #690 # You can login to the server with any username/password combination if someone else is logged in An explanation of the bug: Back in 3.2.1.0, in order to accommodate running the Control Panel using Mono some hooks were added to the WCF communication layer. Detailed in this commit: https://github.com/tgstation/tgstation-server/commit/2894ea03d708c7f16bab47ba5020c2ad4c3d5554#diff-0ba090ea7073a3a304dfdbdfc512f733 The bug was in this line: https://github.com/tgstation/tgstation-server/commit/2894ea03d708c7f16bab47ba5020c2ad4c3d5554#diff-0ba090ea7073a3a304dfdbdfc512f733R48 authPolicy is passed in by the framework but the documentation for what the parameter is is virtually non-existent: https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.serviceauthenticatio...
### Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. **Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP. ### Details The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. View of the panel for the user in the Viewer role:  Admin role - View panel for admin role: ![image](https://user-images.github...
OAuth RFC 8252 says https://www.rfc-editor.org/rfc/rfc8252#section-8.6 > the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured. **This includes the case where the user has previously approved an authorization request for a given client id** But Doorkeeper automatically processes authorization requests without user consent for public clients that have been previous approved. Public clients are inherently vulnerable to impersonation, their identity cannot be assured. Issue https://github.com/doorkeeper-gem/doorkeeper/issues/1589 Fix https://github.com/doorkeeper-gem/doorkeeper/pull/1646