ghsa

### Affected packages @ckeditor/ckeditor5-markdown-gfm @ckeditor/ckeditor5-html-support @ckeditor/ckeditor5-html-embed ### Impact A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions: a) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor, b) Initializing the editor on an element and using an element other than `<textarea>` as a base, c) Destroying the editor instance. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use [Markdown](https://ckeditor.com/docs/...

Drupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files. However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

### Impact Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. ### Patches On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever w...

### Impact _What kind of vulnerability is it? Who is impacted?_ The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. For example: ```sql CREATE TABLE refresh_row_example ( id int PRIMARY KEY, "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int )...

### Impact ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. _This vulnerability does NOT impact 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0 * 6.x patch file: https://github.com/DSpace/DSpace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0.patch (may be applied manually if an immediate upgrade to 6.4 or 7.x is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/56e76049185bbd87c994128a9d77735ad7af0199 * 5.x patch file: https://github.c...

### Impact The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24 * 6.x patch file: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/d1dd7d23329ef055069759df15cfa200c8e3 * 5.x patch file: https://github.com/DSpace/DSpa...

### Impact The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.x via commit: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9 * 6.x patch file: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) _DSpace 5.x:_ * Fixed in 5.x via commit: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de * 5.x patch file: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de.patch (may be applied manually if an immediate upgrade to 5.11 or 6,4 or above is not possible) #### Apply the patc...

### Impact The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819 * 6.x patch file: https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819.patch (may be applied manually if an immediate upgrade to 6.4 is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37 * 5.x patch file: https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37.patch (may be applied manually if an immediate upgrade to 5.11 or 6.4 is not possible) #### Apply the patch to your DSpace If at all possible, we recommend upgradi...

### Impact The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to XSS. This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via two commits: * Fix for spellcheck: https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d * Fix for autocomplete: https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7 * 6.x patch files available (may be applied manually if an immediate upgrade to 6.4 or above is not possible) * Fix for spellcheck: https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d.patch * Fix for autocomplete: https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7.patch _DSpace 5.x:_ * Fixed in 5.11 via two co...

### Impact Metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn Item. This vulnerability only impacts the XMLUI. However, this vulnerability is very low severity as Item metadata does not tend to contain highly secure or sensitive information. _This vulnerability does NOT impact the JSPUI or 7.x._ ### Patches Because of the low severity of this security issue, it requires updating to 6.4 to resolve. _No patch is available for 5.x or below._ _DSpace 6.x:_ * Fixed in 6.4 via #2451 * 6.x patch file: https://github.com/DSpace/DSpace/commit/574e25496a40173653ae7d0a49a19ed8e3458606.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) #### Apply the patch to your DSpace If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches as follows: 1. Download the appropriate ...