ghsa

### Impact Arbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads ### Patches ExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0). ### Workarounds No ### References https://twitter.com/wcbowling/status/1385803927321415687 https://nvd.nist.gov/vuln/detail/CVE-2021-22204 ### For more information If you have any questions or comments about this advisory: Open an issue in [exiftool_vendored.rb](https://github.com/exiftool-rb/exiftool_vendored.rb/issues)

kraken <= 0.1.4 has an arbitrary file read vulnerability via the component `testfs`.

### Impact The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access. ### Patches Update to the latest 6.4.18.1 version. ### Workarounds - For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. - Remove from all users the log module ACL rights - [Disable logging](https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging) ### References https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

### Impact The `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. ### Patches This issue has been fixed in 4.2.12, 4.3.11, 4.4.10 ### Workarounds Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods. ### References https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html

### Impact Multi-threaded programs were able to spoof interactive permission prompt by rewriting the prompt to suggest that program is waiting on user confirmation to unrelated action. A malicious program could clear the terminal screen after permission prompt was shown and write a generic message like so: ``` // Expected prompt ⚠️ ┌ Deno requests read access to "./log.txt". ├ Requested by `Deno.open()` API ├ Run again with --allow-read to bypass this prompt. └ Allow? [y/n] (y = yes, allow; n = no, deny) > // Prompt that users would see Do you want to continue? ``` This situation impacts users who use Web Worker API and relied on interactive permission prompt. The reproduction is very timing sensitive and can’t be reliably reproduced on every try. This problem can not be exploited on systems that do not attach an interactive prompt (for example headless servers). ### Patches The problem has been fixed in Deno v1.29.3; it is recommended all users update to this versio...

### Impact The vulnerability is capable of resulting in stolen user cookies. #### Proof of Concept ``` Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective= Go to setting --> data objects --> classes --> events Click media under genaral settings Add payload in title field. Go to data objects module and open events, xss will trigger // PoC.js "><iMg SrC="x" oNeRRor="alert(xss);"> ``` ### Patches Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/13916.patch manually. ### References https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/

### Impact The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. #### Issue 1: Arbitrary file upload in artifact server (GHSL-2023-004) The [/upload endpoint](https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2) is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. ``` router.PUT("/upload/:runId", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) { itemPath := req.URL.Query().Get("itemPath") runID := params.ByName("runId") if req.Header.Get("Content-Encoding") == "gzip" { itemPath += gzipExtension } filePath := fmt.Sprintf("%s/%s", runID, itemPath) ``` #### Issue 2: Arbitrary file download in artifact server (GHSL-2023-004) The [/artifact endpoint](https://github.com/nektos...

@builder.io/qwik prior to version 0.16.2 is vulnerable to cross-site scripting due to attribute names and the class attribute values not being properly handled.

Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component `/sys/dict/queryTableData`. A patch was released in commit 0fc374.

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.