Source
ghsa
### Impact An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. ### Patches Fixed on 4.3.2
## Summary The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. ## Severity The maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## Mitigation Upgrade to `>= 1.9.22.noko2`. ## Credit This vulnerability was reported by [이형관 (windshock)](https://www.linkedin.com/in/windshock/). ## References [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption ## Notes The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
funadmin v3.3.2 and v3.3.3 are vulnerable to insecure file upload via the plugins install.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
laravel-s prior to 3.7.36 is vulnerable to Local File Inclusion via `/src/Illuminate/Laravel.php`.
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
### Summary The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758) ### Details Please see [the PoC repo](https://github.com/tangent65536/Slivjacker). ### PoC Please also see [the PoC repo](https://github.com/tangent65536/Slivjacker). To setup a simple PoC environment, 1. Generate an implant with its C2 set to the PoC server's address and copy the embedded private implant key and public server key into the config json. 2. Run the implant on a separate VM and a `notepad.exe` window should pop up on the implanted VM. ### Impact A successful attack grants the attacker permission to execute arbitrary code on the implanted device. ### References https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go https://github.com/BishopFox/sliver/blob/master/...
When this function was passed an empty string, `openssl` would attempt to call `strlen` on it, reading arbitrary memory until it reached a NUL byte.
On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.
memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of<T>` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for "father" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html). This flaw was corrected by using `std::ptr::addr_of` in <https://github.com/Gilnaa/memoffset/pull/50>.