ghsa

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can cause a heap buffer overflow. Opening an image with a zero or negative height has been found to bypass a decompression bomb check. This will now raise a SyntaxError instead, in turn raising a PIL.UnidentifiedImageError.

In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.

In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.

The `ctx` hosted project on [PyPI](https://pypi.org/project/ctx/) was taken over via user account compromise and replaced with a malicious project which contained runtime code that collected the content of `os.environ.items()` when instantiating `Ctx` objects. The captured environment variables were sent as a base64 encoded query parameter to a heroku application running at `https://anti-theft-web.herokuapp.com`. If you installed the package between May 14, 2022 and May 24, 2022, and your environment variables contain sensitive data like passwords and API keys (like `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`), we advise you to rotate your passwords and keys, then perform an audit to determine if they were exploited.

### Impact If FoF Upload is configured to allow the uploading of SVG files (`image/svg+xml`), navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service. This could allow data to be leaked by an authenticated Flarum user, or, possibly, for data to be modified maliciously. ### Patches This has been patched with v1.2.3, which now sanitizes uploaded SVG files. ### Workarounds Upgrade to `1.2.3` (requires Flarum 1.2 or later), or remove the ability for users to upload SVG files through FoF Upload. ### References Thank you to Safwat Refaat for the responsible disclosure of this vulnerability.

### Impact We found a possible XSS vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. ### Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. ### Workarounds The easiest workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) and change the line ``` <input type='hidden' name='requestJoin' value="$!request.requestJoin"/> ``` into ``` <input type='hidden' name='requestJoin' value="$escapetool.xml($!request.requestJoin)"> ``` ### References * https://jira.xwiki.org/browse/XWIKI-19292 * https://github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:security@xwiki.org)

### Impact We found a possible XSS vector in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. ### Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. ### Workarounds The easiest workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) and change the line ``` <input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" /> ``` into ``` <input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" /> ``` ### References * https://jira.xwiki.org/browse/XWIKI-19294 * https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:security@xwiki.org)

### Description The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information disclosure of values that should not be available on the client-side.