#vulnerability

Red Hat Security Advisory 2024-6818-03 - Red Hat OpenShift Container Platform release 4.15.34 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-6811-03 - Red Hat OpenShift Container Platform release 4.13.51 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Complete Multi Hospital Management System version 1.0 suffers from a backup disclosure vulnerability.

Traccar version 5.1 suffers from a PHP code injection vulnerability.

sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL.

Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM. This issue affects Agent Flow before 0.43.3.

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM. This issue affects Alloy: before 1.3.4, from 1.4.0-rc.0 and prior to 1.4.1.

### Impact Multipart file upload support as defined in the [GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multipart-request-spec) was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. ### Patches Version `v0.243.0` is the first `strawberry-graphql` including a patch. Check out our [documentation](https://strawberry.rocks/docs/breaking-changes/0.243.0) for additional details and upgrade instructions. ### References - [Strawberry upgrade guide](https://strawberry.rocks/docs/breaking-changes/0.243.0) - [Multipart Upload Secur...

### Impact During a recent internal audit, a Cross-Site Scripting (XSS) vulnerability was identified in the CKEditor 5 clipboard package. This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert a malicious content into the editor, which might happen with a very specific editor configuration. This vulnerability affects **only** installations where the editor configuration meets the following criteria: 1. The [**Block Toolbar**](https://ckeditor.com/docs/ckeditor5/latest/getting-started/setup/toolbar.html#block-toolbar) plugin is enabled. 1. One of the following plugins is also enabled: - [**General HTML Support**](https://ckeditor.com/docs/ckeditor5/latest/features/html/general-html-support.html) with a configuration that permits unsafe markup. - [**HTML Embed**](https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html). ### Patches The problem has been recognized and...