Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Resolving versions: Ibexa DXP v1.0.13, v2.3…
[ezsystems/ezplatform-admin-ui] ezplatform-admin-ui vulnerable to Cross-Site Scripting (XSS)
It is possible to inject JavaScript XSS in the content type entries “name” and “short name”. To exploit this, one must already have permission to edit content types, which limits it in many cases to people who are already administrators. However, pleas…
[ibexa/graphql] GraphQL queries can expose password hashes
Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Affected versions: Ibexa DXP v3.3.*, v4.2.*…
[org.deeplearning4j:dl4j-examples] Use of unclaimed s3 bucket in tests and examples
Impact
People who use some older NLP examples that reference the old S3 bucket.
Patches
The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 …
[wasmtime] Wasmtime may have data leakage between instances in the pooling allocator
Impact
There is a bug in Wasmtime’s implementation of it’s pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. The poolin…
[wasmtime] Wasmtime out of bounds read/write with zero-memory-pages configuration
Impact
There is a bug in Wasmtime’s implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration the virtual memory mapping for WebAssembly memo…
[github.com/phachon/mm-wiki] mm-wiki is vulnerable to Cross-Site Scripting (XSS)
mm-wki v0.2.1 is vulnerable to Cross Site Scripting (XSS).
References
https://nvd.nist.gov/vuln/detail/CVE-2021-40289
https://github.com/phachon/mm-wiki/issues/319
https://github.com/advisories/GHSA-99g5-5643-xphp
[readthedocs] Read the Docs vulnerable to Cross-Site Scripting (XSS)
Impact
This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project.
Exploiti…
[@redwoodjs/api] Redwood is vulnerable to account takeover via dbAuth “forgot-password”
Impact
What kind of vulnerability is it? Who is impacted?
This is an API vulnerability in Redwood’s [dbAuth], specifically the dbAuth forgot password feature:
only projects with the dbAuth “forgot password” feature are affected
this vulnerability was …
[parse-server] Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
Impact
A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.
Patches
Improved keyword detection.
Workarounds
None.
Collaborators
Mikhail Shc…