Advisories for Gem/Publify_core package

Weak Password Requirements in GitHub repository publify/publify prior to 9.2.10.

Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10.

Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.

Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.

A low-privileged user can modify and delete admin articles just by changing the value of the article[id] parameter.

Unrestricted Upload of File with Dangerous Type in GitHub repository publify/publify prior to 9.2.9.

Publify before 8.0.1 is vulnerable to a Denial of Service attack

Improper Access Control in GitHub repository publify/publify prior to 9.2.8.

Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.

Code Injection in GitHub repository publify/publify prior to 9.2.8.

Business Logic Errors in GitHub repository publify/publify

Publify is vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

Publify is vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.

In Publify pre1 to is vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow. This happens due to front-end restriction only.