ghsa

### Impact IRC allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions. Mode commands can only be executed by privileged users, so this can only be abused if an operator is tricked into running the command on behalf of an attacker. ### Patches The vulnerability has been patched in matrix-appservice-irc 0.35.0. ### Workarounds Refrain from entering mode commands suggested by untrusted users. Avoid using multiple modes in a single command. ### References - https://matrix.org/blog/2022/09/02/security-release-of-matrix-appservice-irc-0-35-0-high-severity ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [security@matrix.org](mailto:securi...

### Impact Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. ### Patched The vulnerability has been patched in matrix-appservice-irc 0.35.0. ### Workarounds Disable dynamic channel joining via `dynamicChannels.enabled` to prevent users from joining new channels, which prevents any new channels being bridged outside of what is already bridged, and what is specified in the config. ### References - https://matrix.org/blog/2022/09/02/security-release-of-matrix-appservice-irc-0-35-0-high-severity ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [security@matrix.org](mailto:security@matrix.org).

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.8 or earlier. * Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name="ASP.NET Core 3.1"></a>.NET Core 3.1 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm]...

`<bytes::Bytes as axum_core::extract::FromRequest>::from_request` would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used `Bytes::from_request` internally: - `axum::extract::Form` - `axum::extract::Json` - `String` The fix is also in `axum-core` `0.3.0.rc.2` but `0.3.0.rc.1` _is_ vulnerable. Because `axum` depends on `axum-core` it is vulnerable as well. The vulnerable versions of `axum` are `<= 0.5.15` and `0.6.0.rc.1`. `axum` `>= 0.5.16` and `>= 0.6.0.rc.2` does have the fix and are not vulnerable. The patched versions will set a 2 MB limit by default.

### Impact Pageflow has a membership edit feature which allows users to edit the roles of user memberships associated with an account that they have the `manager` role to (including their own). While the `Entity` dropdown select field is greyed out in the UI, an attacker can use tools which allow sending arbitrary HTTP request to craft a request to the `/admin/users/{user_id}/memberships/{membership_id}` endpoint containing an additional `membership[entity_id]` parameter. This parameter is honored when the membership is updated, allowing an attacker to update the membership object associated with their own account (with `manager` role) to be associated with a different attacker-chosen account instead. Since `account_id`s are enumerable, an attacker can compromise all accounts present on the platform. ### Mitigation Upgrade to version 15.7.1 or 14.5.2 of the `pageflow` gem. ### For more information If you have any questions or comments about this advisory email us at info(at)codevi...

### Impact The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to. Pageflow uses the `ActiveAdmin` Ruby library to provide some management features to its users. `ActiveAdmin` relies on the `Ransack` library to implement search functionality. In its default configuration, `Ransack` will allow for query conditions based on properties of associated database objects [1]. The `*_starts_with`, `*_ends_with` or `*_contains` search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force. [1] https://activerecord-hackery.github.io/ransack/going-further/associations/ [2] https://activerecord-hackery.github.io/ransack/getting-started/search-matches/ ### Mitigation Upgrade to version 15.7.1 or 14.5.2 of the `pageflow` gem. ### For more information If you have any questions or comments about this ...

### Impact Users with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors: 1. Some path fields on the VMI spec were not properly validated and allowed passing in relative paths which would have been mounted into the virt-launcher pod. The fields are: `spec.domain.firmware.kernelBoot.container.kernelPath`, `spec.domain.firmware.kernelBoot.container.initrdPath` as well as `spec.volumes[*].containerDisk.path`. Example: ```yaml apiVersion: [kubevirt.io/v1](http://kubevirt.io/v1) kind: VirtualMachineInstance metadata: name: vmi-fedora spec: domain: devices: disks: - disk: bus: virtio name: containerdisk - disk: bus: virtio name: cloudinitdisk - disk: bus: virtio name: containerdisk1 rng: {} resources: requests: memory: 1024M terminationGracePeriodSeconds: 0 volumes: - containerDisk:...

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.

Cross site scripting (XSS) vulnerability in ouqiang gocron through 1.5.3, allows attackers to execute arbitrary code via scope.row.hostname in web/vue/src/pages/taskLog/list.vue.