MODERATE

[github.com/usememos/memos] usememos/memos Cross-site Scripting vulnerability

Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.9.1.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4865
https://github.com/usememos/memos/commit/7670c9536000bb32c6345d4906a91268dcddd5fc
https://huntr.dev/bount…

[github.com/usememos/memos] usememos/memos vulnerable to Cross-site Scripting

Cross-site Scripting (XSS) – Stored in GitHub repository usememos/memos prior to 0.9.1.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4866
https://github.com/usememos/memos/commit/7670c9536000bb32c6345d4906a91268dcddd5fc
https://huntr.dev/bount…

[mellium.im/sasl] Mellium vulnerable to authentication failure or insufficient randomness used during authentication

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authenti…

[froxlor/froxlor] Froxlor vulnerable to Argument Injection

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4864
https://github.com/froxlor/froxlor/commit/f2485ecd9aab8da544b5e12891d82ae6fcff5fc7
https://huntr.dev/bounties/b7140…

[prettytable-rs] prettytable-rs: Force cast a &Vec to &[T] may lead to undefined behavior

In function Table::as_ref, a reference of vector is force cast to slice. There are multiple problems here:

To guarantee the size is correct, we have to first do Vec::shrink_to_fit. The function requires a mutable reference, so we have to force cast fr…

[github.com/kubernetes-sigs/aws-efs-csi-driver] efs-utils and aws-efs-csi-driver have race condition during concurrent TLS mounts

Posted inMODERATE
Posted byWpmaster
12/31/2022

Impact
A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below, and aws-efs-csi-driver versions v1.4.7 and below. When using TLS to mount file systems, the mount helper allocates a local port f…

[hyper-staticfile] hyper-staticfile’s location header incorporates user input, allowing open redirect

When hyper-staticfile performs a redirect for a directory request (e.g. a request for /dir that redirects to /dir/), the Location header value was derived from user input (the request path), simply appending a slash. The intent was to perform an origin…

TechMedia

Featured

[vitess.io/vitess] vitess allows users to create keyspaces that can deny access to already existing keyspaces

[github.com/answerdev/answer] Answer vulnerable to account takeover because password reset links do not expire

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to improper access control

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter

[github.com/usememos/memos] usememos/memos Cross-site Scripting vulnerability

[github.com/usememos/memos] usememos/memos vulnerable to Cross-site Scripting

[mellium.im/sasl] Mellium vulnerable to authentication failure or insufficient randomness used during authentication

[froxlor/froxlor] Froxlor vulnerable to Argument Injection

[prettytable-rs] prettytable-rs: Force cast a &Vec to &[T] may lead to undefined behavior

[github.com/kubernetes-sigs/aws-efs-csi-driver] efs-utils and aws-efs-csi-driver have race condition during concurrent TLS mounts

[hyper-staticfile] hyper-staticfile’s location header incorporates user input, allowing open redirect

[github.com/gotify/server] gotify/server vulnerable to Cross-site Scripting in the application image file upload

[github.com/usememos/memos] usememos/memos vulnerable to Improper Verification of Source of a Communication Channel

[github.com/usememos/memos] usememos/memos Cross-Site Request Forgery vulnerability

Archives