Impact
Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in ModalFormResponsePacket were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets…
[mercurius] mercurius has Uncaught Exception when using subscriptions
Impact
Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql.
Patches
This was patched in https://github.com/mercurius-js/mercurius/pull/940.
The patch was rele…
[git] ruby-git has potential remote code execution vulnerability
The git gem, between versions 1.2.0 and 1.12.0, incorrectly parsed the output of the git ls-files command using eval() to unescape quoted file names. If a file name was added to the git repository contained special characters, such as \n, then the git …
[@okta/oidc-middleware] @okta/oidc-middlewareOpen Redirect vulnerability
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL.
Affected products and versions
Okta OIDC Middleware prior to version 5.0.0.
Resolution
The vulnerability i…
[io.apiman:apiman-manager-api-impl] Apiman Manager API affected by Jackson denial of service vulnerability
Impact
Due to a vulnerability in jackson-databind <= 2.12.6.0, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API.
This does not affect the Apiman Gateway.
…
[org.apache.sling:org.apache.sling.cms] Apache Sling App CMS vulnerable to reflected Cross-site Scripting
An improper neutralization of input during web page generation (‘Cross-site Scripting’) [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack …
[simplesamlphp/simplesamlphp-module-infocard] Information Cards Module vulnerable to Cross-site Scripting
A vulnerability was found in Information Cards Module and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.0 is able to a…
[barzahlen/barzahlen-php] Barzahlen Payment Module PHP SDK vulnerable to Observable Timing Discrepancy
A vulnerability, which was classified as problematic, was found in viafintech Barzahlen Payment Module PHP SDK up to 2.0.0. Affected is the function verify of the file src/Webhook.php. The manipulation leads to observable timing discrepancy. Upgrading …
[sukohi/surpass] SUKOHI Surpass Path Traversal vulnerability
A vulnerability has been found in SUKOHI Surpass and classified as critical. This vulnerability affects unknown code of the file src/Sukohi/Surpass/Surpass.php. The manipulation of the argument dir leads to pathname traversal. Upgrading to version 1.0….
[symbiote/silverstripe-seed] Symbiote Seed Open Redirect vulnerability
A vulnerability was found in Symbiote Seed up to 6.0.2. It has been classified as critical. Affected is the function onBeforeSecurityLogin of the file code/extensions/SecurityLoginExtension.php of the component Login. The manipulation of the argument U…