ghsa

The macro relied on an expression of the form `Enum::Variant` always being a variant of the enum. However, it may also be an associated integer constant, in which case there's no guarantee that the value of said constant consists only of bits valid for this bitflag type. Thus, code like this could create an invalid `BitFlags<Test>`, which would cause iterating over it to trigger undefined behavior. As the debug formatter internally iterates over the value, it is also affected. ```rust use enumflags2::{bitflags, make_bitflags}; #[bitflags] #[repr(u8)] #[derive(Copy, Clone, Debug)] enum Test { A = 1, B = 2, } impl Test { const C: u8 = 69; } fn main() { let x = make_bitflags!(Test::{C}); // printing or iterating over x is UB } ```

### Impact In previous versions of Kiwi TCMS users were able to update their email addresses via the "My profile" admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. ### Patches With Kiwi TCMS v12.2 or later it is not possible to edit the email field associated with a user account! ### Workarounds No workaround exists. ### References Disclosed by [@novemberdad](https://huntr.dev/bounties/1714df73-e639-4d64-ab25-ced82dad9f85/).

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.2.2.

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.

A stored Cross-site scripting (XSS) issue in Text Editors and Formats in Backdrop CMS before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via the name parameter. When a user is editing any content type (e.g., page, post, or card) as an admin, the stored XSS payload is executed upon selecting a malicious text formatting option. NOTE: the vendor disputes the security relevance of this finding because "any administrator that can configure a text format could easily allow Full HTML anywhere."

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.

Applications using `@fastify/passport` for user authentication, in combination with `@fastify/session` as the underlying session management mechanism, are vulnerable to [session fixation attacks](https://owasp.org/www-community/attacks/Session_fixation) from network and same-site attackers. ## Details fastify applications rely on the `@fastify/passport` library for user authentication. The login and user validation are performed by the `authenticate` function. When executing this function, the `sessionId` is preserved between the pre-login and the authenticated session. Network and [same-site attackers](https://canitakeyoursubdomain.name/) can hijack the victim's session by tossing a valid `sessionId` cookie in the victim's browser and waiting for the victim to log in on the website. ## Fix As a solution, newer versions of `@fastify/passport` regenerate `sessionId` upon login, preventing the attacker-controlled pre-session cookie from being upgraded to an authenticated session. ## C...

The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastify/passport`, can be bypassed by network and same-site attackers. ## Details `fastify/csrf-protection` implements the [synchronizer token pattern](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern) (using plugins `@fastify/session` and `@fastify/secure-session`) by storing a random value used for CSRF token generation in the `_csrf` attribute of a user's session. The `@fastify/passport` library does not clear the session object upon authentication, preserving the `_csrf` attribute between pre-login and authenticated sessions. Consequently, CSRF tokens generated before authentication are still valid. Network and [same-site attackers](https://canitakeyoursubdomain.name/) can thus obtain a CSRF token for their pre-session, fixate that pre-session in the victim's bro...