ghsa

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

### Impact Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the vulnerability is as follows: 1. Send any request with `BasicCredentialHandler`, `BearerCredentialHandler` or `PersonalAccessTokenCredentialHandler` 2. The target host may return a redirection (3xx), with a link to a second host. 3. The next request will use the credentials to authenticate with the second host, by setting the `Authorization` header. The expected behavior is that the next request will *NOT* set the `Authorization` header. ### Patches The problem was fixed on April 1st 2020. ### Workarounds There is no workaround. ### References This is similar to the following issues in nature: 1. [HTTP authentication leak in redirects](https://curl.haxx.se/docs/CVE-2018-1000007.html) - I used the same solution as CURL did. 2. [CVE-2018-1000007](https://nvd.nist.gov/vuln/detail/CVE-2018-1000007).

An issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. Password reset links are sent by email. A link contains a token that is used to reset the password. This token remains valid even after the password reset and can be used a second time to change the password of the corresponding user. The token expires only 3 hours after issuance and is sent as a query parameter when resetting. An attacker with access to the browser history can thus use the token again to change the password in order to take over the account.

An XSS issue was discovered in Serenity Serene (and StartSharp) before 6.7.0. When users upload temporary files, some specific file endings are not allowed, but it is possible to upload .html or .htm files containing an XSS payload. The resulting link can be sent to an administrator user.

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Insecure Permission vulnerability found in Voyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.

vConsole v3.15.0 was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.

The GridField print view incorrectly validates the permission of DataObjects potentially allowing a content author to view records they are not authorised to access. Upgrade to `silverstripe/framework` 4.12.5 or above to address the issue. Reported by Stephan Bauer from [relaxt Webdienstleistungsagentur GmbH](https://www.relaxt.at/)

An attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Upgrade to `silverstripe/framework` 4.12.5 or above to remedy the vulnerability. Reporter: Matthew Dekker

### Impact Ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. ### Patches This issue is patched in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241), and is included in BMO release 0.3.0 onwards. ### Workarounds User may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241)