ghsa

Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the `<iframe> src` parameter.

SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via `basic_title` parameter. This issue is resolved in v5.1.

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the `editor` parameter.

### Impact Pimcore is vulnerable to Cross site scripting vulnerability in classes module. ### Patches Update to version 10.5.20. ### Workarounds Apply the patch https://github.com/pimcore/pimcore/commit/765832f0dc5f6cfb296a82e089b701066f27bcef.patch manually.

`Once::try_call_once` is unsound if invoked more than once concurrently and any call fails to initialise successfully.

### Impact Improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack ### Patches The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1.

### Impact A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are [restricted to 10MB by default](https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size), however this validation only happens on the frontend and on the backend after the vulnerable code. ### Patches Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch). ### Workarounds Site owners who are unable to upgrade to the ne...

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 1.5.1. ### Workarounds Apply the patch https://github.com/pimcore/perspective-editor/pull/121.patch manually.