ghsa

### Impact `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. ### Patches We patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can furthe...

Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.

[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.

graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

### GraphQL behaviour Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion. ```graphql # Infinite loop example query { ...a } fragment a on Query { ...b } fragment b on Query { ...a } ``` ### POC TLDR With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise:  However, with a lower size, you will overflow the memory after some iterations. ### Reproduction steps (Juniper) ``` git clone https://github.com/graphql-rust/juniper.git cd juniper ``` Save this POC as poc.py ```python import requests import time import json from itertools import permutations print('=== Fragments POC ===') url = 'http://localhost:8080/graphql' max_size = 7500 perms = [''.join(p) for p in permutations('abcefghijk')] perms = perms[:m...

### Impact An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. Only when using `AUTH_DB` database authentication option. ### Patches Fixed on 4.1.3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:example@example.com)

### Impact Eval injection possible if the shop is vulnerable to an SQL injection. ### Patches The problem is fixed in version 1.7.8.7 ### Workarounds Delete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6): ```php if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; } ```

### Impact When the [built-in HTTP proxy downloader middleware](https://docs.scrapy.org/en/2.6/topics/downloader-middleware.html#module-scrapy.downloadermiddlewares.httpproxy) processes a request with `proxy` metadata, and that `proxy` metadata includes proxy credentials, the built-in HTTP proxy downloader middleware sets the `Proxy-Authentication` header, but only if that header is not already set. There are third-party proxy-rotation downloader middlewares that set different `proxy` metadata every time they process a request. Because of request retries and redirects, the same request can be processed by downloader middlewares more than once, including both the built-in HTTP proxy downloader middleware and any third-party proxy-rotation downloader middleware. These third-party proxy-rotation downloader middlewares could change the `proxy` metadata of a request to a new value, but fail to remove the `Proxy-Authentication` header from the previous value of the `proxy` metadata, caus...