ghsa

There is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. ### Target baserCMS 4.7.1 and earlier versions ### Vulnerability Execution of malicious JavaScript code may alter the display of the page or leak cookie information. - In Favorite registration (CVE-2022-39325) - In Permission Settings (CVE-2022-41994) - In User group management (CVE-2022-42486) ### Countermeasures Update to the latest version of baserCMS ### Credits - Shogo Iyota@Mitsui Bussan Secure Directions, Inc. - YUYA KOTAKE@CARTA HOLDINGS, INC.

### Impact On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. ### Patches The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. ### Workarounds Setting `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/joniles/mpxj

code injection in `Wrapper::buildClientWrapperCode` via manipulation of the `$client` argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url.

### Impact On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between v4.46.0 and v4.48.7 or any version of v5 prior to v5.22.7. Immediate action should be taken to secure your site - see patches & workarounds below. ### Patches - v4.48.8 / v5.22.7 are patched for all known exploits - v4.48.9 / v5.24.1 contain deeper fixes to the API to close the potential for this vulnerability to appear elsewhere or regress ### Workarounds...

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

KubeView through 0.1.31 allows attackers to obtain control of a Kubernetes cluster because api/scrape/kube-system does not require authentication, and retrieves certificate files that can be used for authentication as kube-admin. NOTE: the vendor's position is that KubeView was a "fun side project and a learning exercise," and not "very secure."

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. The fix for this issue is planned to be released in version 1.13.1, there is a release checker in issue #89855.

In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.