https://vulnerability.circl.lu/rss/recent/github/30 2024-05-18T07:34:30.514727+00:00 Vulnerability Lookup python-feedgen Contains only the most 30 recent entries. https://vulnerability.circl.lu/vuln/ghsa-4rr6-gf59-ggw5 2024-05-18T07:34:30.531316+00:00 Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512). https://vulnerability.circl.lu/vuln/ghsa-7h74-7vcw-4mwp 2024-05-18T07:34:30.531305+00:00 Due to a missing signature (HMAC) for a request argument, an attacker could unserialize arbitrary objects within FLOW3. To our knowledge it is neither possible to inject code through this vulnerability, nor are there exploitable objects within the FLOW3 Base Distribution. However, there might be exploitable objects within user applications. https://vulnerability.circl.lu/vuln/ghsa-5vv7-j593-mgjc 2024-05-18T07:34:30.531294+00:00 It has been discovered that Flow 3.0.0 allows arbitrary file uploads, inlcuding server-side scripts, posing the risk of attacks. If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …). Note: The upload of files is only possible if the application built on Flow provides means to do so, and whether or not the upload of files poses a risk is dependent on the system setup. If uploaded script files are not executed by the server, there is no risk. In versions prior to 3.0.0 the upload of files with the extension php was blocked. In Flow 2.3.0 to 2.3.6 a potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter. https://vulnerability.circl.lu/vuln/ghsa-9cw3-j7wg-jwj8 2024-05-18T07:34:30.531282+00:00 If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not destined for them. ### Am I affected? - Do you use Entity Security? if no, you are not affected. - You disabled the Doctrine Cache (Flow_Persistence_Doctrine)? If this is the case, you are not affected. - You use Entity Security in custom Flow or Neos applications. Read on. - If you only used Entity Security based on roles (i.e. role A was allowed to see entities, but role B was denied): In this case, you are not affected. - If you did more advanced stuff using Entity Security (like checking that a customer only sees his own orders; or a hotel only sees its own bookings), you very likely needed to register a custom global object in Neos.Flow.aop.globalObjects. In this case, you are affected by the issue; and need to implement the CacheAwareInterface in your global object for proper caching. All Flow versions (starting in version 3.0, where Entity Security was introduced) were affected. https://vulnerability.circl.lu/vuln/ghsa-3c5g-73f7-grvm 2024-05-18T07:34:30.531271+00:00 Due to reports it has been validated that internal workspaces in Neos are accessible without authentication. Some users assumed this is a planned feature but it is not. A workspace preview should be an additional feature with respective security measures in place. Note that this only allows reading of internal workspaces not writing. And for clarification, an internal workspace is a workspace that is non public and doesn't have an owner. Given that an internal workspace exists in your installation, it is possible to view a page in context of that workspace by opening a link in this format: https://domain/path/to/page.html@workspace-name The issue is quite problematic when exploited but at the same time slightly less impactful than it sounds. First of all there is no default internal workspace, so the issue affects only workspaces created by users. That also means the workspace-name, which will also always include a hash is individual to a project and an exploiter must get hold of the workspace-name including the hash. This is non trivial as there is no indication of the existence of it, but obviously brute force and educated guessed can be made. https://vulnerability.circl.lu/vuln/ghsa-6pq8-67pw-j6hw 2024-05-18T07:34:30.531260+00:00 The PersistedUsernamePasswordProvider was prone to a information disclosure of account existance based on timing attacks as the hashing of passwords was only done in case an account was found. We changed the core so that the provider always does a password comparison in case credentials were submitted at all. https://vulnerability.circl.lu/vuln/ghsa-43cf-7f3h-38rg 2024-05-18T07:34:30.531248+00:00 It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors. https://vulnerability.circl.lu/vuln/ghsa-6cj3-rc4p-f38f 2024-05-18T07:34:30.531236+00:00 It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup. ### Reflected Cross-Site Scripting (SXSS) with authentication A Neos backend user with permission to modify content can insert JavaScript instructions into content elements. The browser will execute the script in "Print" preview mode. A Neos backend user who can modify his profile information ("Title", "First Name", "Last name", "Middle Name", "Other Name") can inject JavaScript instructions in those parameters. Once set up, an administrator who wants to edit this user account will execute the code. Both attack vectors require a valid Neos backend user account. ### Reflected Cross-Site Scripting (RXSS) without authentication A non-persistent XSS using parameters passed during plugin execution is possible. If invalid parameters are passed, an error message may be shown (depending on the context Neos runs in and how the parameters are handled) that contains the unescaped parameter value. Note: Through the HTML content type the inclusion of arbitrary JavaScript is still possible for users with a valid Neos backend account. If you want to prohibit that, disable the nodetype or restrict access. ### Potential backdoor upload Through an issue with the underlying Flow framework (see the related Flow advisory Flow-SA-2015-001) any editor with access to the Media Management module can upload server side script files (when using Neos 2.0.x). If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …). https://vulnerability.circl.lu/vuln/ghsa-rq6q-hjvh-5mwh 2024-05-18T07:34:30.531224+00:00 A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. [See this advisory for details](http://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html). If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still recommended! https://vulnerability.circl.lu/vuln/ghsa-r2r8-36pq-27cm 2024-05-18T07:34:30.531212+00:00 Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure Direct Object Reference (IDOR) vulnerabilities. Additionally, the reuse of keys enables users to decrypt and modify encrypted data if they can guess the plaintext of one ciphertext. https://vulnerability.circl.lu/vuln/ghsa-9wrw-p9rm-r782 2024-05-18T07:34:30.531200+00:00 In order to verify Signatures on Logoutrequests and LogoutResponses we use the verifySignature of the class XMLSecurityKey from the xmlseclibs library. That method end up calling openssl_verify() depending on the signature algorithm used. The openssl_verify() function returns 1 when the signature was successfully verified, 0 if it failed to verify with the given key, and -1 in case an error occurs. PHP allows translating numerical values to boolean implicitly, with the following correspondences: - 0 equals false. - Non-zero equals true. This means that an implicit conversion to boolean of the values returned by openssl_verify() will convert an error state, signaled by the value -1, to a successful verification of the signature (represented by the boolean true). The LogoutRequest/LogoutResponse signature validator was performing an implicit conversion to boolean of the values returned by the verify() method, which subsequently will return the same output as openssl_verify() under most circumstances. This means an error during signature verification is treated as a successful verification by the method. Since the signature validation of SAMLResponses were not affected, the impact of this security vulnerability is lower, but an update of the php-saml toolkit is recommended. https://vulnerability.circl.lu/vuln/ghsa-g48f-pgwh-wwxx 2024-05-18T07:34:30.531188+00:00 Vulnerability in onelogin/php-saml versions prior to 2.10.0 allows signature Wrapping attacks which may result in a malicious user gaining unauthorized access to a system. https://vulnerability.circl.lu/vuln/ghsa-3fmq-x9q6-wm39 2024-05-18T07:34:30.531176+00:00 random_compat versions prior to 2.0 are affected by a security vulnerability related to the insecure usage of Cryptographically Secure Pseudo-Random Number Generators (CSPRNG). The affected versions use openssl_random_pseudo_bytes(), which may result in insufficient entropy and compromise the security of generated random numbers. https://vulnerability.circl.lu/vuln/ghsa-m82c-2r7m-qgcj 2024-05-18T07:34:30.531163+00:00 In the Linux kernel through 6.7.2, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES. https://vulnerability.circl.lu/vuln/ghsa-64vh-gcrh-6whf 2024-05-18T07:34:30.531150+00:00 SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability. https://vulnerability.circl.lu/vuln/ghsa-6q9q-x3xj-g3m7 2024-05-18T07:34:30.530993+00:00 An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. https://vulnerability.circl.lu/vuln/ghsa-7ggm-4rjg-594w 2024-05-18T07:34:30.530980+00:00 A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`. https://vulnerability.circl.lu/vuln/ghsa-9328-gcfq-p269 2024-05-18T07:34:30.530969+00:00 In Tor Arti before 1.2.3, STUB circuits incorrectly have a length of 2 (with lite vanguards), aka TROVE-2024-003. https://vulnerability.circl.lu/vuln/ghsa-c96h-cxx6-rmg9 2024-05-18T07:34:30.530956+00:00 In Tor Arti before 1.2.3, circuits sometimes incorrectly have a length of 3 (with full vanguards), aka TROVE-2024-004. https://vulnerability.circl.lu/vuln/ghsa-jw9q-cpgg-x45m 2024-05-18T07:34:30.530945+00:00 Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). https://vulnerability.circl.lu/vuln/ghsa-95fh-63xw-wfh3 2024-05-18T07:34:30.530932+00:00 An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page https://vulnerability.circl.lu/vuln/ghsa-ppfw-543c-9q84 2024-05-18T07:34:30.530921+00:00 Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php. https://vulnerability.circl.lu/vuln/ghsa-rx9j-rfmx-2gc3 2024-05-18T07:34:30.530908+00:00 The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-2qwv-78pj-mrp7 2024-05-18T07:34:30.530896+00:00 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-5mrp-5g6h-8p37 2024-05-18T07:34:30.530884+00:00 The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-9m45-35mq-gcp6 2024-05-18T07:34:30.530872+00:00 The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-c7gm-g64m-839f 2024-05-18T07:34:30.530860+00:00 The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-f4fp-m7qr-xp52 2024-05-18T07:34:30.530847+00:00 The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. https://vulnerability.circl.lu/vuln/ghsa-fgmj-hpfp-f2jf 2024-05-18T07:34:30.530831+00:00 The Salient Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'icon' shortcode in all versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://vulnerability.circl.lu/vuln/ghsa-wjxw-8mxq-42mg 2024-05-18T07:34:30.530787+00:00 The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.