Impact
The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.
Patches
https://github.com/brockercap/Bifrost…
[mobsf] MobSF allows attackers to read arbitrary files via a crafted HTTP request
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.
Refer…
[io.dataease:dataease-plugin-common] MySQL JDBC deserialization vulnerability
Impact
In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected.
In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, MysqlConfigurat…
[github.com/cheqd/cheqd-node] Potential inter-blockchain communication (IBC) protocol compromise via “Dragonberry” vulnerability in cheqd
Impact
This vulnerability affects IBC transfers due to a security vulnerability dubbed “Dragonberry” upstream in Cosmos SDK. The vulnerability could allow malicious attackers to compromise chain-to-chain IBC transfers.
There is no vulnerability in the …
[parse-server] parse-server crashes when receiving file download request with invalid byte range
Impact
Parse Server crashes when a file download request is received with an invalid byte range.
Patches
Improved parsing of the range parameter to properly handle invalid range requests.
Workarounds
None
References
GHSA-h423-w6qv-2wj3
References
ht…
[minimatch] minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
References
https://nvd.nist.gov/vuln/d…
[django] Denial-of-service vulnerability in internationalized URLs
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
References
https://nvd.nist.gov/vuln/…
[golang.org/x/text/language] Denial of service in golang.org/x/text/language
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language hea…
[loader-utils] loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted…
[github.com/hyperledger/fabric] Remote denial of service in Hyperledger Fabric Gateway
Impact
If a gateway client application sends a malformed request to a gateway peer it may crash the peer node.
This fix checks for the malformed gateway request and returns an error to the gateway client.
Patches
Fixed in v2.4.6.
Workarounds
None, user…