Common Weakness Enumeration

CWE-75

Discouraged

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Abstraction: Class · Status: Draft

The product does not adequately filter user-controlled input for special elements with control implications.

59 vulnerabilities reference this CWE, most recent first.

GHSA-2G4V-8VVW-R8M9

Vulnerability from github – Published: 2024-06-26 21:32 – Updated: 2024-07-03 18:47
VLAI
Details

An issue discovered in skycaiji 2.8 allows attackers to run arbitrary code via crafted POST request to /index.php?s=/admin/develop/editor_save.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-26T20:15:16Z",
    "severity": "CRITICAL"
  },
  "details": "An issue discovered in skycaiji 2.8 allows attackers to run arbitrary code via crafted POST request to /index.php?s=/admin/develop/editor_save.",
  "id": "GHSA-2g4v-8vvw-r8m9",
  "modified": "2024-07-03T18:47:04Z",
  "published": "2024-06-26T21:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39243"
    },
    {
      "type": "WEB",
      "url": "https://fushuling.com/index.php/2024/06/11/test"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2X3M-8PX8-74HR

Vulnerability from github – Published: 2024-03-13 21:31 – Updated: 2024-03-13 21:31
VLAI
Details

A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T19:15:46Z",
    "severity": "HIGH"
  },
  "details": "A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.",
  "id": "GHSA-2x3m-8px8-74hr",
  "modified": "2024-03-13T21:31:02Z",
  "published": "2024-03-13T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0801"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2024-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3J93-7RF7-P7M6

Vulnerability from github – Published: 2023-04-05 18:30 – Updated: 2023-04-06 14:40
VLAI
Summary
thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) in FAQ comment username parameter
Details

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ comment username parameter. This has been fixed in 3.1.12.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-05T21:27:37Z",
    "nvd_published_at": "2023-04-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ comment username parameter. This has been fixed in 3.1.12.",
  "id": "GHSA-3j93-7rf7-p7m6",
  "modified": "2023-04-06T14:40:57Z",
  "published": "2023-04-05T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpmyfaq/commit/f3380f46c464d1bc6f3ded29213c79be0de8fc57"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/0854328e-eb00-41a3-9573-8da8f00e369c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) in FAQ comment username parameter"
}

GHSA-4952-P58Q-6CRX

Vulnerability from github – Published: 2021-08-23 19:40 – Updated: 2024-11-18 16:26
VLAI
Summary
JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Details

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

References

OWASP Page on Restricting Form Submissions

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0a0"
            },
            {
              "fixed": "2.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0a0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0a0"
            },
            {
              "fixed": "3.0.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0a0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "notebook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "notebook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T16:41:37Z",
    "nvd_published_at": "2021-08-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUntrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.\n\n### Patches\n\nPatched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.\n\n### References\n\n[OWASP Page on Restricting Form Submissions](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)\n\n### For more information\n\nIf you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.\n\nCredit: Guillaume Jeanne from Google\n",
  "id": "GHSA-4952-p58q-6crx",
  "modified": "2024-11-18T16:26:15Z",
  "published": "2021-08-23T19:40:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/security-research/security/advisories/GHSA-c469-p3jp-2vhx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterlab/PYSEC-2021-130.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JupyterLab: XSS due to lack of sanitization of the action attribute of an html \u003cform\u003e"
}

GHSA-4HFH-FCH3-5Q7P

Vulnerability from github – Published: 2026-02-19 19:40 – Updated: 2026-04-22 16:24
VLAI
Summary
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
Details

Summary

htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled.

Details

Relevant code: https://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/String%2BHTMLEscape.swift#L14

Strings in Swift are based on extended grapheme clusters. HTML on the other hand is based on unicode characters.

For example if you have the sequence "́ (U+0022 Quotation mark followed by U+0301 Combining Acute Accent). To HTML this is just a quote mark followed by some other random character. To swift this is one extended grapheme cluster that does not equal a quotation mark by itself which is a different extended grapheme cluster.

Thus "\"́".replacingOccurrences(of: "\"", with: "&quot;") does not replace the quote mark. This allows you to break out of html attributes.

I believe replacingOccurences takes an optional third parameter that allows you to specify options to make it work on UTF-8 characters instead of grapheme clusters, which would be a good fix for this issue.

I see depending on version, leafkit might use replacing instead of replacingOccurences. I don't know swift that well and couldn't find docs on what replacing does, so I don't know if both versions of the function are affected. The version of swift i was testing on I believe was using replacingOccurences

It seems like replacingOccurences will skip past prefix characters of extended grapheme clusters, which is what would be needed in order to meaningfully bypass esaping of <. Thus i think this is mostly limited to attributes and not general text.

PoC

An example vapor application that is vulnerable might look like

routes.swift

import Vapor

struct Hello: Content {
    var msg: String?
}

func routes(_ app: Application) throws {
    app.post { req throws in
    let Hello = try req.content.decode(Hello.self)
        return req.view.render("hello", [
            "msg": Hello.msg ?? "Hello World!"
        ])
    }
}

With a hello.leaf that looks like

<div title="#(msg)">Hover to see message</div>

And then you POST something like msg=%22%cc%81=1%20autofocus%20tabindex=0%20onfocus=alert(1)%20

Impact

If a website uses leaf to escape an attribute value based on user input, the attacker may be able to insert a malicious attribute. If a site is not using a secure CSP policy, then this can be used to execute malicious javascript (XSS). Impact is context dependent if a site is using a secure CSP policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/vapor/leaf-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-79",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T19:40:08Z",
    "nvd_published_at": "2026-02-20T22:16:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`htmlEscaped` in leaf-kit will only escape html  special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead to XSS if there is a leaf variable in the attribute that is user controlled.\n\n### Details\n\nRelevant code:\nhttps://github.com/vapor/leaf-kit/blob/main/Sources/LeafKit/String%2BHTMLEscape.swift#L14\n\nStrings in Swift are based on extended grapheme clusters. HTML on the other hand is based on unicode characters. \n\nFor example if you have the sequence \"\u0301  (U+0022 Quotation mark followed by U+0301 Combining Acute Accent). To HTML this is just a quote mark followed by some other random character. To swift this is one extended grapheme cluster that does not equal a quotation mark by itself which is a different extended grapheme cluster.\n\nThus `\"\\\"\u0301\".replacingOccurrences(of: \"\\\"\", with: \"\u0026quot;\")` does not replace the quote mark. This allows you to break out of html attributes.\n\nI believe replacingOccurences takes an optional third parameter that allows you to specify options to make it work on UTF-8 characters instead of grapheme clusters, which would be a good fix for this issue.\n\nI see depending on version, leafkit might use `replacing` instead of `replacingOccurences`. I don\u0027t know swift that well and couldn\u0027t find docs on what replacing does, so I don\u0027t know if both versions of the function are affected. The version of swift i was testing on I believe was using replacingOccurences\n\nIt seems like replacingOccurences will skip past prefix characters of extended grapheme clusters, which is what would be needed in order to meaningfully bypass esaping of \u003c. Thus i think this is mostly limited to attributes and not general text.\n\n### PoC\n\nAn example vapor application that is vulnerable might look like\n\nroutes.swift\n```swift\nimport Vapor\n\nstruct Hello: Content {\n    var msg: String?\n}\n\nfunc routes(_ app: Application) throws {\n    app.post { req throws in\n\tlet Hello = try req.content.decode(Hello.self)\n        return req.view.render(\"hello\", [\n            \"msg\": Hello.msg ?? \"Hello World!\"\n        ])\n    }\n}\n```\n\nWith a hello.leaf that looks like\n```\n\u003cdiv title=\"#(msg)\"\u003eHover to see message\u003c/div\u003e\n```\n\nAnd then you POST something like `msg=%22%cc%81=1%20autofocus%20tabindex=0%20onfocus=alert(1)%20`\n\n### Impact\nIf a website uses leaf to escape an attribute value based on user input, the attacker may be able to insert a malicious attribute. If a site is not using a secure CSP policy, then this can be used to execute malicious javascript (XSS). Impact is context dependent if a site is using a secure CSP policy.",
  "id": "GHSA-4hfh-fch3-5q7p",
  "modified": "2026-04-22T16:24:14Z",
  "published": "2026-02-19T19:40:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-4hfh-fch3-5q7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vapor/leaf-kit/commit/8919e39476c3a4ba05c28b71546bb9195f87ef34"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vapor/leaf-kit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster"
}

GHSA-5968-QW33-H47J

Vulnerability from github – Published: 2023-12-15 00:31 – Updated: 2023-12-18 19:30
VLAI
Summary
Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cvg2-7c3j-g36j. This link is maintained to preserve external references.

Original Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-18T19:30:55Z",
    "nvd_published_at": "2023-12-14T22:15:44Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cvg2-7c3j-g36j. This link is maintained to preserve external references.\n\n## Original Description\nA flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.",
  "id": "GHSA-5968-qw33-h47j",
  "modified": "2023-12-18T19:30:55Z",
  "published": "2023-12-15T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6134"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7854"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7855"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7856"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7857"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7860"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7861"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6134"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri",
  "withdrawn": "2023-12-18T19:30:55Z"
}

GHSA-5FFQ-G4QH-W8Q3

Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2023-06-30 21:30
VLAI
Details

A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-10T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The \u201caddCell\u201d JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator\u2019s workstation.",
  "id": "GHSA-5ffq-g4qh-w8q3",
  "modified": "2023-06-30T21:30:19Z",
  "published": "2022-05-11T00:01:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24039"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62XC-VFFQ-MCGG

Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32
VLAI
Details

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T17:15:06Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9.1.2308.207, an authenticated user could create an external lookup that calls a legacy internal function. The authenticated user could use this internal function to insert code into the Splunk platform installation directory. From there, the user could execute arbitrary code on the Splunk platform Instance.",
  "id": "GHSA-62xc-vffq-mcgg",
  "modified": "2024-07-01T18:32:40Z",
  "published": "2024-07-01T18:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36983"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2024-0703"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/1cf58ae1-9177-40b8-a26c-8966040f11ae"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64F8-PJGR-9WMR

Vulnerability from github – Published: 2024-09-11 19:20 – Updated: 2024-09-11 19:20
VLAI
Summary
Untrusted Query Object Evaluation in RPC API
Details

During the sign in and sign up operations through the SurrealDB RPC API, an arbitrary object would be accepted in order to support a wide array of types and structures that could contain user credentials. This arbitrary object could potentially contain any SurrealDB value, including an object representing a subquery. For this to materialize, this object would need to be encoded using the bincode serialization format instead of the default JSON serialization format or the additionally supported CBOR serialization format.

If a binary object containing a subquery were to be provided in this way, that subquery would be computed while executing the SIGNIN and SIGNUP queries defined by the database owner while defining a record access method. Since those queries are executed under a system user session with the editor role, an unauthenticated attacker may be able to leverage this behavior to select, create, update and delete non-IAM resources with permissions of a system user with the editor role.

Impact

If a record access method was defined with a SIGNIN or a SIGNUP query and the SurrealDB RPC API was exposed to untrusted users, an attacker could be able to craft a binary object containing a subquery to provide in place of valid credentials when calling the signin and signup operations via the RPC API with the bincode serialization format. The attacker could use that subquery to select, create, update and delete resources in SurrealDB, but they would not be able to directly view the results of the query. This method cannot be used to create, update or delete IAM resources, as access to those kind of resources requires the owner role.

Patches

Objects provided as variables to the sign in and sign up methods are now recursively validated to ensure that they do not contain any non-computed values, which include subqueries and other data types that could potentially result in query execution.

  • Version 1.5.5 and later are not affected by this issue.
  • Version 2.0.0-beta.3 and later are not affected by this issue.

Workarounds

Users unable to update may want to disallow access to the SurrealDB RPC API using the affected binary serialization formats by conservatively allowing only requests to the /rpc endpoint of the SurrealDB HTTP server with the application/json content type. If the RPC API is not used at all or only used by trusted clients, disallowing or restricting access to the /rpc endpoint of the SurrealDB HTTP server will also prevent exploitation. Alternatively, if filtering HTTP requests is not possible, record access methods that define SIGNIN and SIGNUP clauses may be temporarily removed to completely prevent potential attacks leveraging this issue.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.1"
            },
            {
              "fixed": "2.0.0-beta.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T19:20:07Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "During the sign in and sign up operations through the SurrealDB RPC API, an arbitrary object would be accepted in order to support a wide array of types and structures that could contain user credentials. This arbitrary object could potentially contain any SurrealDB value, including an object representing a subquery. For this to materialize, this object would need to be encoded using the bincode serialization format instead of the default JSON serialization format or the additionally supported CBOR serialization format.\n\nIf a binary object containing a subquery were to be provided in this way, that subquery would be computed while executing the `SIGNIN` and `SIGNUP` queries defined by the database owner while defining a record access method. Since those queries are executed under a system user session with the editor role, an unauthenticated attacker may be able to leverage this behavior to select, create, update and delete non-IAM resources with permissions of a system user with the editor role.\n\n### Impact\n\nIf a record access method was defined with a `SIGNIN` or a `SIGNUP` query and the SurrealDB RPC API was exposed to untrusted users, an attacker could be able to craft a binary object containing a subquery to provide in place of valid credentials when calling the `signin` and `signup` operations via the RPC API with the bincode serialization format. The attacker could use that subquery to select, create, update and delete resources in SurrealDB, but they would not be able to _directly_ view the results of the query. This method cannot be used to create, update or delete IAM resources, as access to those kind of resources requires the owner role.\n\n### Patches\n\nObjects provided as variables to the sign in and sign up methods are now recursively validated to ensure that they do not contain any non-computed values, which include subqueries and other data types that could potentially result in query execution.\n\n- Version 1.5.5 and later are not affected by this issue.\n- Version 2.0.0-beta.3 and later are not affected by this issue.\n\n### Workarounds\n\nUsers unable to update may want to disallow access to the SurrealDB RPC API using the affected binary serialization formats by conservatively allowing only requests to the `/rpc` endpoint of the SurrealDB HTTP server with the `application/json` content type. If the RPC API is not used at all or only used by trusted clients, disallowing or restricting access to the `/rpc` endpoint of the SurrealDB HTTP server will also prevent exploitation. Alternatively, if filtering HTTP requests is not possible, record access methods that define `SIGNIN` and `SIGNUP` clauses may be temporarily removed to completely prevent potential attacks leveraging this issue.\n\n### References\n\n- [SurrealDB Documentation - Authentication (Record Users)](https://surrealdb.com/docs/surrealdb/security/authentication#record-users)\n- [SurrealDB Documentation - RPC Protocol (Signup)](https://surrealdb.com/docs/surrealdb/integration/rpc#signup)\n- [SurrealDB Documentation - RPC Protocol (Signin)](https://surrealdb.com/docs/surrealdb/integration/rpc#signin)",
  "id": "GHSA-64f8-pjgr-9wmr",
  "modified": "2024-09-11T19:20:08Z",
  "published": "2024-09-11T19:20:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-64f8-pjgr-9wmr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/b7583a653a2c495a60630dffd663f506426db330"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/eab7ef5354168d4039f7f7b77042c99a52f770a6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    },
    {
      "type": "WEB",
      "url": "https://surrealdb.com/docs/surrealdb/integration/rpc#signin"
    },
    {
      "type": "WEB",
      "url": "https://surrealdb.com/docs/surrealdb/integration/rpc#signup"
    },
    {
      "type": "WEB",
      "url": "https://surrealdb.com/docs/surrealdb/security/authentication#record-users"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Untrusted Query Object Evaluation in RPC API"
}

GHSA-683H-WMFW-2P2M

Vulnerability from github – Published: 2024-06-09 21:30 – Updated: 2024-06-12 18:30
VLAI
Details

On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-09T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.",
  "id": "GHSA-683h-wmfw-2p2m",
  "modified": "2024-06-12T18:30:38Z",
  "published": "2024-06-09T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37570"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kwburns/CVE/blob/main/Mitel/5.0.0.1018/code/exploit-firmware.py"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kwburns/CVE/tree/main/Mitel/5.0.0.1018#authenticated-remote-command-execution-firmware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Programming languages and supporting technologies might be chosen which are not subject to these issues.

Mitigation
Implementation

Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.