Impact
A vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node.
Patches
The following PR addresses the problem: https://github.com/ethereum/go-ethereu…
[github.com/theupdateframework/go-tuf] Improper Validation of Integrity Check Value in go-tuf
Impact
go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to install …
[auth0-lock] Cross-site Scripting in Auth0 Lock
Overview
In versions before and including 11.32.2, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (usi…
[gogs.io/gogs] Cross-site Scripting in Gogs
Impact
The malicious user is able to upload a crafted SVG file as the issue attachment to archive XSS. All installations allow uploading SVG (text/xml) files as issue attachments (non-default) are affected.
Patches
Correctly setting the Content Securit…
[github.com/argoproj/argo-cd/v2] Argo CD will blindly trust JWT claims if anonymous access is enabled
Impact
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. …
[github.com/opencontainers/runc] Default inheritable capabilities for linux container should be empty
Impact
A bug was found in runc where runc exec –cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities…
[org.craftercms:crafter-core] XML injection in Crafter CMS
In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15683
https://docs…
[org.craftercms:crafter-core] Cross site scripting in Crafter CMS
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15682
https://docs.craftercms.org/en/3…
[org.craftercms:crafter-core] Missing Authorization in Crafter CMS
In Crafter CMS Crafter Studio 3.0 prior to 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-15680
https://docs.craftercms.org/en/3.0/…
[pyamf] PyAMF vulnerable to XML external entity (XXE)
PyAMF provides Action Message Format (AMF) support for Python that is compatible with the Adobe Flash Player. It includes integration with Python web frameworks like Django, Pylons, Twisted, SQLAlchemy, web2py and more. XML external entity (XXE) vulner…