Impact
If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. There are currently no known fixed versions or workarounds.
References
https://gi…
When matrix-nio before 0.20 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn’t check that the device that responded matches the device the key was requested fro…
Impact
When matrix-rust-sdk before 0.6 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn’t check that the device that responded matches the device the key was re…
Impact
An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verify…
Impact
Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected.
Description
The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking f…
Description
When using the filesystem loader to load templates for which the name is a user input, it is possible to use the source or include statement to read arbitrary files from outside the templates directory when using a namespace like @somewhere…
Impact
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS.
Authentication is required to exploit this vulnerability.
The authenticated user may perform the actions unknowingly by visiting…
Impact
A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled.
This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this s…
Impact
An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield.
Additionally, a sophisticated attacker cooperating with a malici…
Impact
An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others.
This attack is possible …
