Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-2v3v-3whp-953h: starcitizentools/citizen-skin allows stored XSS in user registration date message

### Summary Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The result of `$this->lang->userDate( $timestamp, $this->user )` returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60 ### PoC 1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's `november`: ![image](https://github.com/user-attachments/assets/252a3453-99c8-4ce1-b6d6-a8485b7a9a43) ### Impact This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.

ghsa
Open in Source
#xss#vulnerability#js#git#php#auth
GHSA-jwr7-992g-68mh: starcitizentools/citizen-skin allows stored XSS in preference menu heading messages

### Summary Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The `innerHtml` of the label div is set to the `textContent` of the label, essentially unsanitizing the system messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18 ### PoC 1. Edit `citizen-feature-custom-font-size-name` (or any other message displayed in a heading in the preferences menu) to `<img src="" onerror="alert('citizen-feature-custom-font-size-name')">` (script tags don't work here due to the way the HTML is inserted) 2. Open the preferences menu ![image](https://github.com/user-attachments/assets/b75f100d-09cc-443c-b635-e9d6ab48d133)

GHSA-86xf-2mgp-gv3g: starcitizentools/citizen-skin allows stored XSS in search no result messages

### Summary The `citizen-search-noresults-title` and `citizen-search-noresults-desc` system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9 ### PoC 1. Edit `citizen-search-noresults-title` and `citizen-search-noresults-desc` to `<img src="" onerror="alert('citizen-search-noresults-title')">` and `<img src="" onerror="alert('citizen-search-noresults-desc')">` (script tags don't work here due to the way the HTML is inserted) 2. Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up ![image](https://github.com/user-attachments/assets/cf2963bc-5c86-4a4d-8574-de92d89d6d81) ![image](https://github.com/user...

Here’s What Marines and the National Guard Can (and Can’t) Do at LA Protests

Pentagon rules sharply limit US Marines and National Guard activity in Los Angeles, prohibiting arrests, surveillance, and other customary police work.

GHSA-989c-m532-p2hv: Salt's worker process vulnerable to denial of service through file read operation

Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system.

GHSA-8pcp-r83j-fc92: Salt vulnerable to directory traversal attack in file receiving method

Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.

GHSA-4j59-vv55-q6h3: Salt's salt.auth.pki module does not properly authenticate callers

The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

GHSA-jh7c-xh74-h76f: Salt has minion event bus authorization bypass vulnerability

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

GHSA-7f3f-x5f5-79gw: Salt's file contents overwrite the VirtKey class

File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. The functionality is used to auto-accept Minion authentication keys based on a pre-placed “authorization file” at a specific location and is present in the default configuration.

GHSA-xh32-3m67-qjgf: Salt allows arbitrary directory creation or file deletion

Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated input from the “tgt_env” variable. This can be exploited by an attacker to delete any file on the Master's process has permissions to.