Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-4jx2-hvqw-93j9: dd-plist XML External Entitly vulnerability

A vulnerability was found in 3breadt dd-plist 1.17 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. An attack has to be approached locally. Upgrading to version 1.18 is able to address this issue. The name of the patch is 8c954e8d9f6f6863729e50105a8abf3f87fff74c. It is recommended to upgrade the affected component. VDB-221486 is the identifier assigned to this vulnerability.

ghsa
Open in Source
#vulnerability#git
GHSA-qh6w-pq52-qxxq: Pixelfed may allow unauthorized actor to view private posts

Improper Authorization in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

GHSA-vjxx-jgcx-9fq2: Pixelfed allows user enumeration via reset password functionality

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

GHSA-jrmh-v64j-mjm9: Insecure Temporary File in RESTEasy

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

GHSA-q82h-q47j-f492: Cross-site Scripting in jspreadsheet

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

GHSA-r2h5-3hgw-8j34: User data in TPM attestation vulnerable to MITM

### Impact Attestation *user data* (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster. ### Patches The issue has been patched in [v2.5.2](https://github.com/edgelesssys/constellation/releases/tag/v2.5.2). ### Workarounds none

GHSA-5vx9-j5cw-47vq: Privilege escalation in MOSN

Authentication vulnerability in MOSN before v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.

GHSA-vvpx-j8f3-3w6h: Uncontrolled Resource Consumption

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

GHSA-qgc7-mgm3-q253: Uncontrolled Resource Consumption

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

GHSA-f9c6-4j9h-6c5r: Misinterpretation of Input in thorsten/phpmyfaq

Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.