ghsa

### Impact The [graphql-upload](https://www.npmjs.com/package/graphql-upload) npm package can execute GraphQL operations contained in `content-type: multipart/form-data` POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use `content-type: multipart/form-data`, they can be "simple requests" which are not preflighted by browsers. If your GraphQL server uses `graphql-upload` and uses `SameSite=None` cookies for authentication, then JS on any origin can cause browsers to send cookie-authenticated mutations to your GraphQL server, which will be executed without checking your CORS policy first. (The attack won't be able to see the response to the mutation if your CORS policy is set up properly, but the side effects of the mutation will still happen.) Additionally, if your GraphQL server uses `graphql-upload` relies on network properties for security (whether by explicitly looking at the client's IP address or by only being available on a privat...

HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.

An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

## Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0.0-rc, .NET 6.0, .NET Core 3.1, and NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 7.0.0-rc.1, .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol) where a malicious actor could cause a user to execute arbitrary code. ## Affected software ### NuGet & NuGet Packages - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.3.0 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.2.1 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 6.0.2 version or earlier. - Any NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.Protocol 5.11.2 version or earlier. - Any NuGe...

### Impact Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. ### Patches This issue was addressed by restricting access to files to intended directories only. ### References - https://github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953a0bc91c585153595d1bd ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

### Impact Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. ### Patches This issue was addressed by restricting allowed classes when deserializing user-controlled data. ### References - https://github.com/melisplatform/melis-cms/commit/d124b2474699a679a24ec52620cadceb3d4cec11 ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

### Impact Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-front` >= 5.0.1. ### Patches This issue was addressed by restricting allowed classes when deserializing user-controlled data. ### References - https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

### Impact A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3. ### Patches Update to `@xmldom/xmldom@0.8.3` or higher or to `@xmldom/xmldom@0.9.0-beta.2` or higher if you are on the dist-tag `next`. ### Workarounds No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required. ### References https://github.com/xmldom/xmldom/pull/437 ### For more information If you have any questions or comments about this advisory: * Email us at security@xmldom.org * Add information to https://github.com/xmldom/xmldom/issue/436

### Observation To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named `git.exe` which would be executed by Poetry. Poetry calls executables by name when handling dependencies from Git. Note that there might be even more places where Poetry calls executables by name. ### Impact This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker...