ghsa

### Impact Using jadx-gui to open a special zip file with entry containing HTML sequence like `<html><frame>` will cause interface to get stuck and throw exceptions like: ``` java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3 :no ROWS or COLS defined. at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387) at java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379) at java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112) ``` ### References https://www.oracle.com/java/technologies/javase/seccodeguide.html Guideline 3-7 / INJECT-7: Disable HTML display in Swing components: Many Swing pluggable look-and-feels interpret text in certain components starting with <html> as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks. To disable the HTML render...

Missing Authentication for Critical Function in GitHub repository ikus060/rdiffweb prior to 2.5.0.

Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may request log headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.

Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The `SafeUnpickler` class found in `shinken/safepickle.py` implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server.

### Impact For some Post/Put Concourse endpoint containing `:team_name` in the URL, a Concourse user can send a request with body including `:team_name=team2` to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to team2. Exploitable endpoints: ``` {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/builds/:build_name", Method: "POST", Name: RerunJobBuild}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/pause", Method: "PUT", Name: PauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/unpause", Method: "PUT", Name: UnpauseJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/jobs/:job_name/schedule", Method: "PUT", Name: ScheduleJob}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/pause", Method: "PUT", Name: PausePipeline}, {Path: "/api/v1/teams/:team_name/pipelines/:pipeline_name/unpause", Method: ...

OctoPrint prior to 1.8.3 is vulnerable to Special Element Injection.

phpMyFAQ versions 3.1.7 and prior are vulnerable to stored cross-site scripting (XSS). A patch is available on the `main` branch of the repository and anticipated to be part of version 3.2.0-alpha.

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the `input` step, which is used for the URLs that process user interactions for the given `input` step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from `input` step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with. Pipeline: Input Step Plugin 456.vd8a_957db_5b_e9 limits the characters that can be used for the ID of input steps in Pipelines to alphanumeric characters and URL-safe punctuation. Pipelines with input steps having IDs with prohibited characters will fail with an error.

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.

Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines. Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.