#git

### Impact In JSONata versions `>= 1.4.0, < 1.8.7` and `>= 2.0.0, < 2.0.4`, a malicious expression can use the [transform operator](https://docs.jsonata.org/other-operators#-------transform) to override properties on the `Object` constructor and prototype. This may lead to denial of service, remote code execution or other unexpected behavior in applications that evaluate user-provided JSONata expressions. ### Patch This issue has been fixed in JSONata versions `>= 1.8.7` and `>= 2.0.4`. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. The following patch can be applied if updating is not possible. ```patch --- a/src/jsonata.js +++ b/src/jsonata.js @@ -1293,6 +1293,13 @@ var jsonata = (function() { } for(var ii = 0; ii < matches.length; ii++) { var match = matches[ii]; + if (match && (match.isPrototypeOf(result) || match instanceof Object.constructor)) { + ...

### Impact Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. ### Patches Fixed in https://github.com/electron-userland/electron-builder/pull/8059 ### Workarounds None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer. ### References https://cwe.mitre.org/data/definitions/426.html https://cwe.mitre.org/data/definitions/427

### Summary Hello go-zero maintainer team, I would like to report a security concerning your CORS Filter feature. ### Details Go-zero allows user to specify a [CORS Filter](https://github.com/zeromicro/go-zero/blob/master/rest/internal/cors/handlers.go) with a configurable allows param - which is an array of domains allowed in CORS policy. However, the `isOriginAllowed` uses `strings.HasSuffix` to check the origin, which leads to bypass via domain like `evil-victim.com` ```go func isOriginAllowed(allows []string, origin string) bool { for _, o := range allows { if o == allOrigins { return true } if strings.HasSuffix(origin, o) { return true } } return false } ``` ### PoC Use code below as a PoC. Only requests from `safe.com` should bypass the CORS Filter ```go package main import ( "errors" "net/http" "github.com/zeromicro/go-zero/rest" ) func main() { svr := rest.MustNewServer(rest.RestConf{Port: 8888}, rest.WithRouter(mockedRouter{}), rest.WithCors("safe....

### Impact SQL injection can occur when all of the following conditions are met: 1. The non-default simple protocol is used. 2. A placeholder for a numeric value must be immediately preceded by a minus. 3. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. 4. Both parameter values must be user-controlled. e.g. Simple mode must be enabled: ```go // connection string includes "prefer_simple_protocol=true" // or // directly enabled in code config.ConnConfig.PreferSimpleProtocol = true ``` Parameterized query: ```sql SELECT * FROM example WHERE result=-$1 OR name=$2; ``` Parameter values: `$1` => `-42` `$2` => `"foo\n 1 AND 1=0 UNION SELECT * FROM secrets; --"` Resulting query after preparation: ```sql SELECT * FROM example WHERE result=--42 OR name= 'foo 1 AND 1=0 UNION SELECT * FROM secrets; --'; ``` ### Patches The problem is resolved in v4.18.2. ### Workarounds Do not use the simple protocol or do not place ...

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

Easywall version 0.3.1 suffers from an authenticated remote command execution vulnerability.

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.