Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-5319: huntr – Security Bounties for any GitHub repository

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE
Open in Source
#xss#git#php
CVE-2023-5320: fix: only URLs should be allowed · thorsten/phpMyFAQ@e923695

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE-2023-5317: fix: allow only valid URLs for instances · thorsten/phpMyFAQ@ec551bd

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

CVE-2023-5227: feat: added check for valid image MIME types · thorsten/phpMyFAQ@abf5248

Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.

CVE-2023-44270: postcss/lib/tokenize.js at main · postcss/postcss

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

GHSA-jm6m-4632-36hf: Composer Remote Code Execution vulnerability via web-accessible composer.phar

### Impact Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini. ### Patches 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. ### Workarounds Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

GHSA-hq58-p9mv-338c: CometBFT's default for `BlockParams.MaxBytes` consensus parameter may increase block times and affect consensus participation

## Amulet Security Advisory for CometBFT: ASA-2023-002 **Component**: CometBFT **Criticality:** Low **Affected versions:** All **Affected users:** Validators, Chain Builders + Maintainers # Summary A default configuration in CometBFT has been found to be large for common use cases, and may affect block times and consensus participation when fully utilized by chain participants. It is advised that chains consider their specific needs for their use case when setting the `BlockParams.MaxBytes` consensus parameter. Chains are encouraged to evaluate the impact of having proposed blocks with the maximum allowed block size, especially on bandwidth usage and block latency. Additionally, the `timeout_propose` parameter should be computed using the maximum allowed block size as a reference. This issue does not represent an actively exploitable vulnerability that would result in a direct loss of funds, however it may have a slight impact on block latency depending on a network’s topography. W...

CVE-2023-43655: Merge pull request from GHSA-jm6m-4632-36hf · composer/composer@955a48e

Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.

GHSA-rhrv-645h-fjfh: Apache Avro Java SDK vulnerable to Improper Input Validation

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.