ghsa

### Impact All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection. * if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website), * and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task #### Am I affected? ##### Do you build custom versions of moment-timezone with grunt? If no, you're not affected. ##### Do you allow a third party to specify which particular version you want build? If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task. ### Description #### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint The `tasks/data-download.js` script t...

### Impact * if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website * and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved) ### Patches Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint. ### Workarounds Specify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.

The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. The vulnerability is patched and released in v9.15.0. You can prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. ### For more information If you have any questions or comments about this advisory: * Open a Discussion in [directus/directus](https://github.com/directus/directus/discussions) * Email us at [security@directus.io](mailto:security@directus.io) ### Credits This vulnerability was first discovered and reported by Witold Gorecki.

### Impact If a user has Network Policies with namespace selectors selecting labels of namespaces, or (clusterwide) Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights (either directly or indirectly via higher-level APIs such as Deployment, Daemonset etc) to craft additional pod labels such that the pod is selected by another policy that exists rather than the expected policy. ### Patches The problem has been fixed and is available on versions >=1.10.14, >=1.11.8, >=1.12.1 ### Workarounds There are no workarounds available. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to Sander Mathijssen for not only highlighting the issue but also proposing a resolution. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community...

In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced. The copied system time zone was released before its name was copied. If the system time zone was changed between the call of `CFRelease` and `str::to_owned()`, random memory would be copied.

### Impact The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. ### Patches gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. ### Workarounds Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

Affected versions of this crate passes an uninitialized buffer to a user-provided `Read` implementation. Arbitrary `Read` implementations can read from the uninitialized buffer (memory exposure) and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory produces undefined values that can quickly invoke undefined behavior. Note: there is only UB in the case where a user provides a struct whose `Read` implementation inspects the buffer passed to `read_exact` before writing to it. This is an unidiomatic (albeit possible) `Read` implementation. See https://github.com/MaterializeInc/materialize/issues/8669 for details.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can can cause a denial of service when HTML forms are parsed. ### Affected software * Any .NET 6.0 application running on .NET 6.0.4 or earlier. * Any .NET 5.0 application running .NET 5.0.16 or earlier. * Any .NET Core 3.1 application running on .NET Core 3.1.24 or earlier. #### Affected packages **.NET Core 3.1** | Package name | Affected version | Patched version | |---------------------------------------------------|---------------------|---------------| | Microsoft.AspNetCore.App.Runtime.win-x64 | >=3.0.0,3.1.24 | 3.1.25 | | Microsoft.AspNetCore.App.Runtime.linux-x64 | >=3.0.0,3....

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service. ### Affected software * Any .NET 6.0 application running on .NET 6.0.4 or earlier. * Any .NET 5.0 application running .NET 5.0.16 or earlier. * Any .NET Core 3.1 application running on .NET Core 3.1.24 or earlier. #### Affected packages **.NET Core 3.1** | Package name | Affected versions | Patched versions | |---------------------------------------------------|-------------------|------------------| | Microsoft.Owin.Security.Cookies | <=4.21 | 4.22 | | Microsoft.Owin.Security | <=4.21 ...

### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. ### Impact The multiselect field allows to select tags from an autocompleted list. Unfortunately, the Panel in Kirby 3.5 used HTML rendering for the raw option value. This allowed **attackers with influence on the options source** (e.g. content of sibling pages or an API endpoint) to inject HTML code. If a page in the Panel that uses the manipulated multiselect options was visited by a victim and the victim opened the aut...