Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-4mq4-7rw3-vm5j: Filesystem sandbox not enforced

### Summary As of Wasmer version v4.2.3, Wasm programs can access the filesystem outside of the sandbox. ### Details https://github.com/wasmerio/wasmer/issues/4267 ### PoC A minimal Rust program: ``` fn main() { let f = std::fs::OpenOptions::new() .write(true) .create_new(true) .open("abc") .unwrap(); } ``` This should be compiled with `cargo build --target wasm32-wasi`. The compiled program, when run with wasmer WITHOUT `--dir`, can still create a file in the working directory. ### Impact Service providers running untrusted Wasm code on Wasmer can unexpectedly expose the host filesystem.

ghsa
Open in Source
#git
GHSA-6xmx-85x3-4cv2: Stored XSS via SVG File Upload

#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. #### Workaround Implement the server side file validation https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation or Serve all media from an different host (e.g cdn) that where umbraco is hosted

GHSA-7x74-h8cw-qhxq: Brute force exploit can be used to collect valid usernames

#### Impact A brute force exploit that can be used to collect valid usernames is possible.

GHSA-8qp8-9rpw-j46c: SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.

#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled

GHSA-cfr5-7p54-4qg8: Privilege Escalation using Spoofing

#### Impact Users with low privileges ( Editor, etc) are able to access some unintended endpoints.

GHSA-6324-52pr-h4p5: Using the directory back payload (“/../”) in a package name allows placement of package in other folders.

#### Impact Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location.

GHSA-v98m-398x-269r: DOM-XSS on Backoffice login screen.

#### Impact Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.

GHSA-335x-5wcm-8jv2: Backoffice User can bypass "Publish" restriction

#### Impact Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios.

GHSA-6m97-7527-mh74: incorrect storage layout for contracts containing large arrays

### Impact contracts containing large arrays might underallocate the number of slots they need. prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`: https://github.com/vyperlang/vyper/blob/6020b8bbf66b062d299d87bc7e4eddc4c9d1c157/vyper/semantics/validation/data_positions.py#L197 the intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed. if `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed. the following two example contracts can result in overwriting of the variable `vulnerable`: ```vyper large_array: address[2**64 + 1] # type_.size_in_bytes == 32 * (2**64 + 1); math.ceil(type_.size_in_bytes / 32) < 2**64 + 1 vulnerable:...

GHSA-xxc6-35r7-796w: Possible injection of HTML into user invite mails

#### Impact A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended.