Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-mrxv-pr4h-963q: image-tiler susceptible to command injection

A command injection vulnerability affects the package image-tiler before version 2.0.2.

ghsa
Open in Source
#vulnerability#git
GHSA-cqfc-9452-r36j: curljs Command Injection vulnerability

A command injection vulnerability affects all versions of the package curljs.

GHSA-32fw-9wq8-9x9c: node-latex-pdf is susceptible to command injection

A command injection vulnerability affects all versions of the package node-latex-pdf.

GHSA-mpwp-pf96-9g4r: npos-tesseract Command Injection vulnerability

A command injection vulnerability affects all versions of package npos-tesseract. The injection point is located in line 55 in lib/ocr.js.

GHSA-xv97-c62v-4587: NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

### Impact `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. ### Patches We patched this vulnerability in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can furthe...

GHSA-6hcj-qrw3-m66q: Fava before 1.22.3 vulnerable to reflected cross-site scripting

Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.

GHSA-vp56-6g26-6827: node-fetch Inefficient Regular Expression Complexity

[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.

GHSA-h3qm-jrrf-cgj3: graphql-go through 0.8.0 has infinite recursion in the type definition parser

graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

GHSA-jxqv-jcvh-7gr4: Atlantis Events prior to 0.19.7 vulnerable to Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

GHSA-qq3j-44gw-cf6r: Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch

In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.