ghsa

Hashicorp Boundary is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.

### Impact The Snowboard framework in affected versions is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. ### Patches This issue has been patched in https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1 (for 1.2) and https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f (for 1.1) and is available with Winter v1.1.10 and v1.2.1. ### Workarounds If you have not yet upgraded, or are using the 1.1 branch of Winter (1.1.8 or above), you can avoid this issue by following some common security practices for JavaScript, including implementing a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and auditing your scripts. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. ### For more information If you have any questions or comments about this advisory: - Email us at [hello@wintercms.com](mailto:hello@wintercms.co...

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this [commit](https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4). There are no known workarounds for this issue.

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7.

When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. Example configuration: ```python from twisted.web.server import Site from twisted.web.vhost import NameVirtualHost from twisted.internet import reactor resource = NameVirtualHost() site = Site(resource) reactor.listenTCP(8080, site) reactor.run() ``` Output: ``` ❯ curl -H"Host:<h1>HELLO THERE</h1>" http://localhost:8080/ <html> <head><title>404 - No Such Resource</title></head> <body> <h1>No Such Resource</h1> <p>host b'<h1>hello there</h1>' not in vhost map</p> </body> </html> ``` This vulnerability was introduced in f49041bb67792506d85aeda9cf6157e92f8048f4 and first appeared in the 0.9.4 release.

### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to `jupyter_core>=4.11.2`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No ### References _Are there any links users can visit to find out more?_ Similar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)

Apache IoTDB versions 0.12.2 through 0.12.6, and 0.13.0 through 0.13.2 are vulnerable to a Denial of Service attack when accepting untrusted patterns for REGEXP queries with Java 8. This issue is patched in 0.13.3. Users should upgrade or use a later version of Java to avoid it.

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed in version 1.11.0.

Badaso allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.