ghsa

A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A [patch](https://github.com/lief-project/LIEF/commit/24935f654f6df700a9a062298258b9485f584502) is available at commit number 24935f654f6df700a9a062298258b9485f584502.

### Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. There are currently no known fixed versions or workarounds.

When matrix-nio before 0.20 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from. This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack. ### For more information If you have any questions or comments about this advisory, e-mail us at [poljar@termina.org.uk](mailto:poljar@termina.org.uk).

### Impact When matrix-rust-sdk before 0.6 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from. This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack. Note that even if key injection succeeds in this way, all forwarded keys have the `imported` flag set, which is used as an indicator that such keys have lesser authentication properties (and should be marked as such in clients, e.g. with a grey shield besides the message). ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

## Impact An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. ## Patches The matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has ...

### Impact Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected. ### Description The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. ### Patches The vulnerability is patched in v3.0.2. To upgrade, run one of the following: ``` npm i @next-auth/upstash-redis-adapter@latest ``` ``` yarn add @next-auth/upstash-redis-adapter@latest ``` ``` pnpm add @next-auth/upstash-redis-adapter@latest ``` ### Workarounds Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding. Below is an example of how to do this: (Upgrading is still strongly recommended) ```js import {...

# Description When using the filesystem loader to load templates for which the name is a user input, it is possible to use the `source` or `include` statement to read arbitrary files from outside the templates directory when using a namespace like `@somewhere/../some.file` (in such a case, validation is bypassed). # Resolution We fixed validation for such template names. Even if the 1.x branch is not maintained anymore, a new version has been released. # Credits We would like to thank Dariusz Tytko for reporting the issue and Fabien Potencier for fixing the issue.

### Impact This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. ### Patches Patched in C1 CMS v6.13 ### Workarounds Upgrade to C1 CMS v6.13 or newer is required ### Credit This issue was discovered and reported by Markus Wulftange / [Code White Research](https://code-white.com/en/).

### Impact A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled. This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session. ### Patches The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df ### Workarounds The risk of injected external content can be reduced by setting up a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). ### References * https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/ ### Credits We thank [Mohit Kumar](https://www.linkedin.com/in/mohit-kumar-4ab6b3bb) for reporting this vulnerability!

### Impact An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. ### Patches matrix-android-sdk2 has been modified to only accept Olm-encrypted to-device messages a...