Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.7 days (on average).

CVE-2020-15239

Path Traversal in pypi/xmpp-http-upload

In xmpp-http-upload, when the GET method is attacked, attackers can read files which have a `.data` suffix and which are accompanied by a JSON file with the `.meta` suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or other limitations on the outbound (GET) traffic. For example, in a scenario where a single server has multiple instances of the application running (with separate DATA_ROOT settings), an attacker who has knowledge about the directory structure is able to read files from any other instance to which the process has read access. If instances have individual authentication (for example, HTTP authentication via a reverse proxy, source IP based filtering) or other restrictions (such as quotas), attackers may circumvent those limits in such a scenario by using the Directory Traversal to retrieve data from the other instances. If the associated XMPP server (or anyone knowing the SECRET_KEY) is malicious, they can write files outside the DATA_ROOT. The files which are written are constrained to have the `.meta` and the `.data` suffixes; the `.meta` file will contain the JSON with the Content-Type of the original request and the `.data` file will contain the payload. The issue is patched

Added on 2020-10-23

CVE-2020-7739

Server-Side Request Forgery (SSRF) in npm/phantomjs-seo

This affects all versions of package phantomjs-seo. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing for an SSRF attack.

Added on 2020-10-23

CVE-2020-7747

Cross-site Scripting in npm/lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.

Added on 2020-10-23

CVE-2020-7748

Uncontrolled Resource Consumption in npm/@tsed/core

This affects the package @`tsed/core` This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Added on 2020-10-23

CVE-2020-15263

Cross-site Scripting in packagist/orchid/platform

In Orchid Platform, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced and fixed

Added on 2020-10-23

CVE-2020-15215

Exposure of Resource to Wrong Sphere in npm/electron

Electron is vulnerable to a context isolation bypass. Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nodeIntegrationInSubFrames: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Added on 2020-10-23

CVE-2020-2287

Improper Interaction Between Multiple Correctly-Behaving Entities in maven/org.jenkins-ci.plugins/audit-trail

Jenkins Audit Trail Plugin applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL.

Added on 2020-10-22

CVE-2020-15242

URL Redirection to Untrusted Site (Open Redirect) in npm/next

Next.js is vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4.

Added on 2020-10-22

CVE-2020-15174

Improper Input Validation in npm/electron

In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

Added on 2020-10-22

CVE-2020-7741

Cross-site Scripting in npm/hellojs

This affects the package hellojs. The code get the param `oauth_redirect` from url and pass it to `location.assign` without any check and sanitisation. So we can simply pass some XSS payloads into the url param `oauth_redirect`, such as `javascript:alert(1)`.

Added on 2020-10-22

CVE-2020-13952

Query Injection in pypi/superset

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.

Added on 2020-10-22

CVE-2020-15241

URL Redirection to Untrusted Site (Open Redirect) in packagist/typo3/cms

TYPO3 Fluid Engine (package `typo3fluid/fluid`)` is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

Added on 2020-10-22

CVE-2020-15243

Improper Authentication in npm/smartstore

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops which have installed and activated the Web API plugin. Users of Smartstore must merge their repository with 4.0.x or overwrite the file `SmartStore.Web.Framework` in the `/bin` directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.

Added on 2020-10-22

CVE-2020-14144

OS Command Injection in go/github.com/go-gitea/gitea

The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution.

Added on 2020-10-22

CVE-2020-25613

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in gem/webrick

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Added on 2020-10-22

CVE-2020-15237

Information Exposure Through Discrepancy in gem/shrine

In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.

Added on 2020-10-22

CVE-2020-15241

URL Redirection to Untrusted Site (Open Redirect) in packagist/typo3/cms-core

TYPO3 Fluid Engine (package `typo3fluid/fluid`)` is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like `{showFullName ? fullName : defaultValue}`. Updated versions of this package are bundled in following TYPO3 (`typo3/cms-core`) versions as well: TYPO3 v8.7.25 (using `typo3fluid/fluid` v2.5.4) and TYPO3 v9.5.6 (using `typo3fluid/fluid` v2.6.1).

Added on 2020-10-22

CVE-2020-7740

Server-Side Request Forgery (SSRF) in npm/node-pdf-generator

This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.

Added on 2020-10-22

CVE-2020-25200

Information Exposure in pypi/pritunl

Pritunl allows attackers to enumerate valid VPN usernames via a series of `/auth/session` login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely.

Added on 2020-10-21

CVE-2020-25262

Cross-Site Request Forgery (CSRF) in packagist/pyrocms/pyrocms

PyroCMS is vulnerable to cross-site request forgery (CSRF) via the `admin/pages/delete/` URI: pages will be deleted.

Added on 2020-10-21

CVE-2020-25263

Cross-Site Request Forgery (CSRF) in packagist/pyrocms/pyrocms

PyroCMS is vulnerable to cross-site request forgery (CSRF) via the `admin/addons/uninstall/anomaly.module.blocks` URI: an arbitrary plugin will be deleted.

Added on 2020-10-21

CVE-2020-13957

Missing Authorization in maven/org.apache.solr/solr-core

Apache Solr to to to prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without `authentication/authorization.` The checks in place to prevent such features can be circumvented by using a combination of `UPLOAD/CREATE` actions.

Added on 2020-10-21

CVE-2020-13952

Query Injection in pypi/apache-superset

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.

Added on 2020-10-19

CVE-2020-24301

Cross-site Scripting in maven/ca.uhn.hapi.fhir/hapi-fhir-testpage-overlay

Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes.

Added on 2020-10-19

CVE-2020-2298

Improper Restriction of XML External Entity Reference in maven/org.jenkins-ci.plugins/nerrvana-plugin

Jenkins Nerrvana Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2020-10-19

CVE-2020-2297

Unprotected Storage of Credentials in maven/com.hoiio.jenkins/sms

Jenkins SMS Notification Plugin stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Added on 2020-10-19

CVE-2020-26870

Cross-site Scripting in npm/dompurify

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Added on 2020-10-19

CVE-2020-15227

Injection Vulnerability in packagist/nette/application

Nette are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a `PHP/Composer` MVC Framework.

Added on 2020-10-19

CVE-2020-25768

Improper Input Validation in packagist/contao/core-bundle

Contao suffers from an Improper Input Validation flaw. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.

Added on 2020-10-16

CVE-2020-11979

Injection Vulnerability in maven/org.apache.ant/ant

As mitigation for CVE-2020-1945 Apache Ant changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately, the `fixcrlf` task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Added on 2020-10-15

CVE-2020-7709

Improper Input Validation in npm/json-pointer

This Prototype Pollution affects the package json-pointer. Multiple references of an object using a slash is supported.

Added on 2020-10-15

CVE-2020-24807

Improper Input Validation in npm/socket.io-file

The socket.io-file package for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2020-10-15

CVE-2020-26137

Injection Vulnerability in pypi/urllib3

urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting `CR` and `LF` control characters in the first argument of `putrequest()`. NOTE: this is similar to CVE-2020-26116.

Added on 2020-10-15