ghsa

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

### Impact An attacker can use XSS to send a malicious script to an unsuspecting user. ### Patches Update to version 10.5.17 or apply this patch manually https://github.com/pimcore/pimcore/pull/14301.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14301.patch manually. ### References https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx. ### References [Disclosed by spyata](https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/)

### Impact Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt denial-of-service attacks against the Password reset page. An attacker could potentially send a large number of emails if they know the email addresses of users in Kiwi TCMS. Additionally that may strain SMTP resources. ### Patches Users should upgrade to v12.0 or later. ### Workarounds Users may install and configure a rate-limiting proxy in front of Kiwi TCMS such as Nginx and/or configure rate limits on their email server when possible. ### References [Disclosed by Ahmed Rabeaa Mosaa](https://huntr.dev/bounties/3b712cb6-3fa3-4f71-8562-7a7016c6262e)

### Summary The request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. ### Details The multipart body parser processes an unlimited number of file parts. The multipart body parser processes an unlimited number of field parts. ### Impact This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop.

Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug <= 2.2.2 will parse the cookie `=__Host-test=bad` as `__Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.

Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.

Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields.