ghsa

### Description Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library [Showdown](https://github.com/showdownjs/showdown). Showdown [does not have any XSS countermeasures built in](https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)), and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. ### Impact Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: * Description * Details * Recommendation * References The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerabil...

### Overview During our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions. ### Am I affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

### Overview During our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions. ### Am I Affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior, and your model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is not backward compatible. Any model involving rewritten tupleset relations will no longer be acceptable and has to be modified.

### Overview During our internal security assessment, it was discovered that `streamed-list-objects` endpoint was not validating the authorization header resulting in the disclosure of objects in the store. ### Am I Affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior and you are exposing the OpenFGA service to the internet. ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is backward compatible.

# Description In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. For example: Application X is a web application with a feature that allows users to create Secrets in an Azure KeyVault. Instead of constructing API calls based on user input, Application X uses Azure CLI commands to create the secrets. Application X has input fields presented to the user and the Azure CLI command parameter values are filled based on the user input fields. This input, when formed correctly, could potentially be run as system commands. Below is an example of the resulting Azure CLI command run on the web app's hosting machine. ```bash az keyvault secret set --vault-name SomeVault --name foobar --value "abc123|whoami" ``` The above command could potentially run the `whoami` command on the hosting machine. Interactive, i...

### Impact The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use [container actions](https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action), [job containers](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container), or [service containers](https://docs.github.com/en/actions/using-containerized-services/about-service-containers) alongside untrusted user inputs in environment variables may be vulnerable. ### Patches The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers. Please update to one of the following versions of the runner: - 2.296.2 - 2.293.1 - 2.289.4 - 2.285.2 - 2.283.4 GHES and GHAE customers may...

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.