ghsa

### Impact A partial Directory Traversal Vulnerability found in `apoc.log.stream` function of apoc plugins in Neo4j Graph database. This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, `userControlled.getCanonicalPath().startsWith("/usr/out")` will allow an attacker to access a directory with a name like `/usr/outnot`. ### Patches The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability are 4.4.0.8 and 4.3.0.7 ### Workarounds If you cannot upgrade the library, you can control the [allowlist of the functions](https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/#config_dbms.security.procedures.allowlist) that can be used in your system ### For more information If you have any questions or comments about this advisory: - Open an issue in [neo4j-apoc-procedures](https...

Affected versions of this crate called the RocksDB C API `rocksdb_open_column_families_with_ttl()` with a pointer to a single integer TTL value, but one TTL value for each column family is expected. This is only relevant when using `rocksdb::DBWithThreadMode::open_cf_descriptors_with_ttl()` with multiple column families. This bug has been fixed in v0.19.0.

In Microweber prior to v1.3.1, the title parameter in the body of POST request when creating/editing a category is vulnerable to stored cross-site scripting.

Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. ### Impact When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. ### Patches Patch release `loopback-connector-postgresql@5.5.1` has been published of which resolves this issue. ### Workarounds Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanit...

Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173

Uninit memory is used as a RNG seed in temporary. This has been resolved in the 0.6.4 release. The crate is not intended to be used outside of a testing environment. For a general purpose crate to create temporary directories, [`tempfile`](https://crates.io/crates/tempfile) is an alternative for this crate.

In Cronos nodes running versions before v0.7.0, the contract selfdestruct invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in Ethermint, all contracts that used the identical bytecode (i.e shared the same CodeHash) will also stop working once one contract invokes selfdestruct, even though the other contracts did not invoke the selfdestruct OPCODE. Thanks to the successfully coordinated security vulnerability disclosure, no smart contracts were impacted through the use of this vulnerability. Smart contract states and storage values are not affected by this vulnerability. This problem has been patched in Cronos v0.8.0. The patch has state machine-breaking changes and the required coordinated network upgrade was done on the block height 3982500 on the Cronos mainnet beta network. If a contract is subject to DoS due to this issue, the user can redeploy the same contract, i.e with identical bytecode, so that the original con...

The `xml.etree.ElementTree` module that mofh used up until version `1.0.1` implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to: - [Billion Laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack): It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed. - [Quadratic blowup attack](https://www.acunetix.com/vulnerabilities/web/xml-quadratic-blowup-denial-of-service-attack/): It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly. The Problem has been patched starting from version `1.0.1` by utilising the `defusedxml` package instead of `xml.etree.ElementTree`. ### Workarounds For this vulnerability to be exploited the user must be using a c...

Core Components version 2.20.6 (and earlier) suffer from a reflected cross-site scripting (XSS) vulnerability in `AdaptiveImageServlet` via SVG images. An attacker with author access can upload a special crafted SVG image (including a malicious Javascript) and obtain a link that, when loaded by another authenticated users, will execute the malicious script and gain access to other user's session. The issue has been resolved in 2.20.8. There are currently no known workarounds.