Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-5320: fix: only URLs should be allowed · thorsten/phpMyFAQ@e923695

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE
Open in Source
#xss#vulnerability#git#php
CVE-2023-5317: fix: allow only valid URLs for instances · thorsten/phpMyFAQ@ec551bd

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE-2023-5316: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@332d2e4

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE-2023-5318: huntr – Security Bounties for any GitHub repository

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-5319: huntr – Security Bounties for any GitHub repository

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE-2023-5227: feat: added check for valid image MIME types · thorsten/phpMyFAQ@abf5248

Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.

CVE-2023-44270: postcss/lib/tokenize.js at main · postcss/postcss

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

GHSA-jm6m-4632-36hf: Composer Remote Code Execution vulnerability via web-accessible composer.phar

### Impact Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini. ### Patches 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. ### Workarounds Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

GHSA-hq58-p9mv-338c: CometBFT's default for `BlockParams.MaxBytes` consensus parameter may increase block times and affect consensus participation

## Amulet Security Advisory for CometBFT: ASA-2023-002 **Component**: CometBFT **Criticality:** Low **Affected versions:** All **Affected users:** Validators, Chain Builders + Maintainers # Summary A default configuration in CometBFT has been found to be large for common use cases, and may affect block times and consensus participation when fully utilized by chain participants. It is advised that chains consider their specific needs for their use case when setting the `BlockParams.MaxBytes` consensus parameter. Chains are encouraged to evaluate the impact of having proposed blocks with the maximum allowed block size, especially on bandwidth usage and block latency. Additionally, the `timeout_propose` parameter should be computed using the maximum allowed block size as a reference. This issue does not represent an actively exploitable vulnerability that would result in a direct loss of funds, however it may have a slight impact on block latency depending on a network’s topography. W...