ghsa

ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.

This issue affects the function file of the file helpers/Upload.php of the component File Upload Management. The manipulation leads to unrestricted upload. The attack may be initiated remotely.

### Impact Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter that would cause the program to crash and not finish the validation and thus a denial of service. ### Patches This issue is fixed in v1.4.4 ### Workarounds None.

Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling [`hyper::body::to_bytes`](https://docs.rs/hyper/latest/hyper/body/fn.to_bytes.html). An attacker could send a malicious request with an abnormally large `Content-Length`, which could lead to a panic if memory allocation failed for that request. In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per request, otherwise returning status 400 ("Bad Request"). This crate is part of the implementation of Rust's [crates.io](https://crates.io/), but that service is not affected due to its existing cloud infrastructure, which already drops such malicious requests. Even with the new limit in place, `conduit-hyper` is not recommended for production use, nor to directly serve the public Internet. The vulnerability was discovered by Ori Hollander from the JFrog Security Research team.

phpMyFAQ prior to version 3.1.8 is vulnerable to reflected cross-site scripting.

phpMyFAQ prior to version 3.1.8 is vulnerable to stored Cross-site Scripting.

phpMyFAQ prior to version 3.1.8 has Weak Password Requirements. Version 3.1.8 introduces an eight-character minimum password length.

### Impact The user controlled twig templates rendering in `Pimcore/Mail` & `ClassDefinition\Layout\Text` is vulnerable to server-side template Injection RCE. ### Patches Update to version 10.5.9 or apply this patch manually https://github.com/pimcore/pimcore/pull/13347.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/13347.patch manually. ### References Credits: @nth347 from Viettel Cyber Security

### Impact This vulnerability creates a false sense of security for keylime users -- i.e. a user could query keylime and conclude that a parcitular node/agent is correctly attested, while attestations are not in fact taking place. **Short explanation**: the keylime verifier creates periodic reports on the state of each attested agent. The keylime verifier runs a set of python asynchronous processes to challenge attested nodes and create reports on the outcome. The vulnerability consists of the above named python asynchronous processes failing silently, i.e. quitting without leaving behind a database entry, raising an error or producing even a mention of an error in a log. The silent failure can be triggered by a small set of transient network failure conditions; recoverable device driver crashes being one such condition we saw in the wild. ### Patches The problem is fixed in keylime starting with tag 6.5.1 ### Workarounds This [patch](https://github.com/keylime/keylime/pull/112...

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.