Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-hcg3-56jf-x4vh: safe-eval vulnerable to Prototype Pollution via the safeEval function

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

ghsa
Open in Source
#git
GHSA-79xf-67r4-q2jj: safe-eval vulnerable to Sandbox Bypass due to improper input sanitization

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution (RCE). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

GHSA-9hcr-9hcv-x6pv: Flask-AppBuilder Has No Rate Limiting on Login AUTH DB

### Impact Lack of rate limiting will allow an attacker to brute-force user credentials. ### Patches Ability to enable rate limiting on Flask-AppBuilder >= 4.3.0. Use `AUTH_RATE_LIMITED = True` and `RATELIMIT_ENABLED = True` set the limit itself by using `AUTH_RATE_LIMIT`. Will apply only to database authentication. ### Workarounds Implement rate limiting using a reverse proxy or other strategies.

GHSA-rrhf-32rq-f28h: Apache Linkis DatasourceManager module has deserialization vulnerability

In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker can use the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Users should upgrade their version of Linkis to version 1.3.2.

GHSA-qm2h-m799-86rc: Apache Linkis JDBC EngineConn has deserialization vulnerability

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

GHSA-4j2p-x79m-jcj8: XXL-JOB vulnerable to Cross-site Scripting

XXL-JOB (`com.xuxueli:xxl-job`) versions 2.4.0 and earlier are vulnerable to cross-site scripting (XSS). An HTML uploaded payload can be executed successfully through `/xxl-job-admin/user/add` and `/xxl-job-admin/user/update`.

GHSA-7jxr-cg7f-gpgv: vm2 vulnerable to sandbox escape

vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. - vm2 version: ~3.9.14 - Node version: 18.15.0, 19.8.1, 17.9.1 ### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.15` of `vm2`. ### Workarounds None.

GHSA-fq33-vmhv-48xh: ntru-rs has unsound FFI: Wrong API usage causes write past allocated area

The following usage causes undefined behavior. ```rust let kp: ntru::types::KeyPair = …; kp.get_public().export(Default::default()) ``` When compiled with debug assertions, the code above will trigger a `attempt to subtract with overflow` panic before UB occurs. Other mistakes (e.g. using `EncParams` from a different key) may always trigger UB. Likely, older versions of this crate are also affected, but have not been tested.

GHSA-gv7g-x59x-wf8f: SvelteKit framework has Insufficient CSRF protection for CORS requests

### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. The protection is implemented at `kit/src/runtime/server/respond.js`. While the implementation does a sufficient job of mitigating common CSRF attacks, the protection can be bypassed by simply specifying an upper-cased `Content-Type` header value. The browser will not send uppercase characters on form submission, but this check does not block all expected cross-site requests: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests ### Details The CSRF protection is implemented using the code shown below. ``` javascript const forbidden = is_form_content_type(request) && (request.method === 'POST' || request.method === 'PUT' || request.method === 'PATCH' || request.me...

GHSA-7v7g-9vx6-vcg2: Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

### Impact A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. ### Patches The vulnerability has been fixed in version 23.03 ### Credits We would like to thank [RUS-CERT](https://cert.uni-stuttgart.de/) for reporting this issues. If you have any questions or comments about this advisory: * Email us at [support@intranda.com](mailto:support@intranda.com)