GitHub

Impact
What kind of vulnerability is it? Who is impacted?
Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that are excluded from uri encoding by encodeURI. Occurrence is further limited…

The package cookiecutter before 2.1.1 is vulnerable to Command Injection via hg argument injection. When calling the cookiecutter function from Python code with the checkout parameter, it is passed to the hg checkout command in a way that additional fl…

Summary
Mechanize (rubygem) < v2.8.5 leaks the Authorization header after a redirect to a different port on the same site.
Mitigation
Upgrade to Mechanize v2.8.5 or later.
Notes
See https://curl.se/docs/CVE-2022-27776.html for a similar vulnerabilit…

Impact
Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a U…

Impact
Authorization headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authorization header on. This is much the…

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript’s Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript’s Function constructor.
Refere…

Cross-site Scripting (XSS) – Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1997
https://github.com/francoisjacquet/rosariosis/commit/6b22c0b5b40fad891c8cf9e7eeff3e42a35c0bf8
h…

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1996
https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10…

Dolibarr 12.0.5 is vulnerable to Cross Site Scripting (XSS) via Sql Error Page.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30875
https://github.com/mustgundogdu/Research/edit/main/Dolibar_12.0.5-ReflectedXSS,
https://github.com/mustgundogdu/…

Impact
The malicious user is able to craft HTTP requests to access unauthorized Git directories. All installations with are affected.
Patches
Path cleaning has accommodated for Git HTTP endpoints. Users should upgrade to 0.12.9 or the latest 0.13.0+dev…