#php

This Security Advisory is about two issues of low to medium severity. We recommend that you install the update as soon as possible. There is an XSS vulnerability in CKEditor, which is used by AlloyEditor, which is used in eZ Platform Admin UI. Scripts can be injected through specially crafted "protected" comments. We are not sure it is exploitable in eZ Platform, but recommend installing it to be on the safe side. It is fixed in CKEditor v4.14, AlloyEditor v2.11.9. It is distributed via Composer, for: eZ Platform v1.13.x: ezsystems/PlatformUIAssetsBundle v4.2.3 (included from ezsystems/PlatformUIBundle v1.13.x) eZ Platform v2.5.13: ezsystems/ezplatform-admin-ui-assets v4.2.1 eZ Platform v3.0.*: ezsystems/ezplatform-admin-ui-assets v5.0.1 eZ Platform v3.1.2: ezsystems/ezplatform-admin-ui-assets v5.1.1 Drafts that are sent to trash become visible in the Review Queue, even for users that were not able to see them before this action. It's not possible to preview them, but their title ...

datadog/dd-trace versions 0.30.0 prior to 0.30.2 are affected by a security and stability issue outlined in PR [#579](https://github.com/DataDog/dd-trace-php/pull/579). This pull request ensures that the ddtrace.request_init_hook remains bound by the open_basedir INI directive, effectively addressing potential vulnerabilities related to open_basedir restrictions. The update introduces a sandboxing mechanism to isolate the request init hook from errors or exceptions during execution, enhancing the library's stability and preventing adverse impacts on the main script.

PHP object injection vulnerability was identified in contao/core due to untrusted data being passed to `deserialize()` function.

contao/core versions 2.x prior to 2.11.17 and 3.x prior to 3.2.9 are vulnerable to arbitrary code execution on the server due to insufficient input validation. In fact, attackers can remove or change pathconfig.php by entering a URL, meaning that the entire Contao installation will no longer be accessible or malicious code can be executed.

OpenCFP, an open-source conference talk submission system written in PHP, contains a security vulnerability in its third-party authentication framework, Sentry, developed by Cartalyst. The vulnerability stems from how Sentry handles password reset checks. Users lacking a password reset token stored in the database default to having NULL in the reset_password_code column. Exploiting this flaw could allow unauthorized manipulation of any OpenCFP user's password, particularly those without an unused password reset token. Although successful login still requires correlating the numeric user ID with an email address, the identification of likely organizers (users 1-5) may facilitate this process.

cart2quote/module-quotation-encoded extension may expose a critical security vulnerability by utilizing the unserialize function when processing data from a GET request. This flaw, present in the app/code/community/Ophirah/Qquoteadv/controllers/DownloadController.php and app/code/community/Ophirah/Qquoteadv/Helper/Data.php files, poses a significant risk of Remote Code Execution, especially when custom file options are employed on a product. Attackers exploiting this vulnerability could execute arbitrary code remotely, leading to unauthorized access and potential compromise of sensitive data.

amphp/http versions before 1.0.1 allows an attacker to supply invalid input in the Host header which may lead to various type of Host header injection attacks.

In artax version before 1.0.6 and 2 before 2.0.6, cookies of `foo.bar.example.com` were leaked to `foo.bar`. Additionally, any site could set cookies for any other site. Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.

amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly. `Message::setHeaders` does not replace the entire set of headers, but only operates on the headers matching the given array keys.

In alterphp/easyadmin-extension-bundle, role based access rules do not handle action name case sensitivity which may lead to unauthorized access.