ghsa

Microweber versions 1.3.1 and prior are vulnerable to Reflected Cross-site Scripting (XSS). A patch is available on the 1.4, dev, and laravel-sail branches.

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

### Overview During our internal security assessment, it was discovered that OpenFGA versions v0.3.0 is vulnerable to authorization bypass under certain conditions. ### Am I Affected? You are affected by this vulnerability if **all** of the following applies: 1. You are using OpenFGA v0.3.0 2. You created a model using modeling language v1.1 that applies a type restriction to an object e.g. `define viewer: [user]` 3. You created tuples based on the aforementioned model, e.g. `document:1#viewer@user:jon` 4. You updated the previous model by adding a new type and replacing the previous restriction with the newly added type e.g. `define viewer: [employee]` 5. You use the tuples created against the first model (step 3) and issue checks against the updated model e.g. `user=user:jon, relation=viewer, object:document:1` ### How to fix that? Upgrade to version v0.3.1 ### Backward Compatibility This update is backward compatible.

All versions of package easy-static-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code.

All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. The root cause of the issue is the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.

### Impact In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.go#L172-L174 The request contained the bearer JWT for the App, and was returned back to clients. This token is short lived (10 minute maximum). ### Patches - This has already been patched in d24f14f8be70d94129d76026e8b0f4f9170c8c3e, and is available in releases >= v2.0.0. ### References _Are there any links users can visit to find out more?_ - See https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation for the App installation flow. ### For more information If you have any questions or comments about this advisory: * Open an issue in [ghinstallation](https://github.com/bradleyfalzon/ghinstallation)

### Impact A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the [Alertmanager Set Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration). Only users of the Cortex Alertmanager service using `-experimental.alertmanager.enable-api` or `enable_api: true` are affected. ### Patches Affected Cortex users are advised to upgrade to v1.13.2 or v1.14.1. ### Workarounds Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section and `opsgenie_api_key_file` in the `global` section before sending to the [Set Alertmanager Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration) as a workaround. ### References - Fixed ...