Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-88g2-xgh9-4ph2: OroCommerce get-totals-for-checkout API endpoint returns unwanted data

Detailed Checkout totals information may be received by Checkout ID

ghsa
Open in Source
#vulnerability#git
GHSA-8gwj-68w6-7v6c: OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility

Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.

GHSA-897w-jv7j-6r7g: OroCRMCallBundle has incorrect call view page visibility

Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks.

GHSA-x2xm-p6vq-482g: OroCalendarBundle has incorrect system calendar events visibility

OroPlatform is a package that assist system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks.

GHSA-9v3j-4j64-p937: OroPlatform vulnerable to path traversal during temporary file manipulations

### Impact Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends. ### Workarounds Apply patch ```patch --- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php +++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php @@ -614,6 +614,10 @@ */ public function getTemporaryFileName(string $suggestedFileName = null): string { + if ($suggestedFileName) { + $suggestedFileName = basename($suggestedFileName); + } + $tmpDir = ini_get('upload_tmp_dir'); if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) { $tmpDir = sys_get_temp_dir(); ``` Or decorate `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName` in yo...

GHSA-9wwg-r3c7-4vfg: Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls

### Impact `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the 2 factor credentials. ### Patches Apply patch https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch ### Workarounds Upgrade to version 1.2.2 or apply the [patch](https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch) manually.

GHSA-q3qx-c6g2-7pw2: aiohttp's ClientSession is vulnerable to CRLF injection via version

### Summary Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version. ### Details The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type). For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter. Furthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter. At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection. ### PoC The POC below shows an example of providing an unvalidated array as a version: https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e ### Impact CRLF injection leading to Request Smuggling. ### Workaround If these specific conditions a...

GHSA-qvrw-v9rv-5rjx: aiohttp's ClientSession is vulnerable to CRLF injection via method

### Summary Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. ### Details The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling. ### PoC A minimal example can be found here: https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b ### Impact If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). ### Workaround If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

GHSA-pjjw-qhg8-p2p9: aiohttp has vulnerable dependency that is vulnerable to request smuggling

### Summary llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities. Details have not been disclosed yet, so refer to llhttp for future information. The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).

CVE-2023-49145: Apache NiFi Security Reports

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.