When using the hybridsessions module is used without the session-manager module installed and sessions IDs are saved to disk, unexpired SessionIDs of logged out users can still be used to make authenticated requests.
References
https://nvd.nist.gov/vu…
Impact
Wasmtime’s implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented …
Impact
URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion.
This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse proc…
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0624
https://github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42…
Admidio 4.1.2 version is affected by stored cross-site scripting (XSS).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-23896
https://huntr.dev/bounties/79c2d16c-bae2-417f-ab50-10c52707a30f/
https://github.com/admidio/admidio/commit/1ff30f7cc7159…
Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0085
https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd
https://huntr.dev/bounties…
A malicious actor can read arbitrary files from a client that uses ruby-mysql to communicate to a rogue MySQL server and issue database queries. In these cases, the server has the option to create a database reply using the LOAD DATA LOCAL statement, w…
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2216
https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
https://hu…
Cross-site Scripting (XSS) – Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2217
https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3
https://h…
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
References
https://nvd.nist.gov/vuln/…
