Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[simplesamlphp/xml-security] SimpleSAMLphp xml-common XXE vulnerability
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8. References https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5 https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html https://github.com/advisories/GHSA-2x65-fpch-2fcm
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-common] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/xml-security] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2-legacy] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/saml2] SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2 https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7 https://nvd.nist.gov/vuln/detail/CVE-2024-52806 https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ibexa/admin-ui] Ibexa Admin UI vulnerable to Cross-site Scripting in a field that is used in the Content name pattern
Description: Impact The Content name pattern is used to build Content names from one or more fields. An XSS vulnerability has been found in this mechanism. Content edit permission is required to exploit it. After the fix, any existing injected XSS will not run. Patches See "Patched versions. https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc Workarounds None. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 References https://github.com/ibexa/admin-ui/security/advisories/GHSA-8w3p-gf85-qcch https://nvd.nist.gov/vuln/detail/CVE-2024-53864 https://github.com/ibexa/admin-ui/commit/8ec824a8cf06c566ed88e4c21cc66f7ed42649fc https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 https://github.com/advisories/GHSA-8w3p-gf85-qcch
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ezsystems/ezplatform-http-cache] ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL
Description: Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well. Patches See "Patched versions". https://github.com/ezsystems/ezplatform-http-cache/commit/ca8a5cf69b2c14fbec90412aeeef5c755c51457b Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_3.3/update_from_3.3/#v3341 https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://www.breachattack.com/ References https://github.com/ezsystems/ezplatform-http-cache/security/advisories/GHSA-mgfg-7533-7jf6 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/e...
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ibexa/http-cache] ibexa/http-cache affected by Breach with Varnish VCL
Description: Impact This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well. Patches See "Patched versions". https://github.com/ibexa/http-cache/commit/e03f683e8db53b6d253e1af8177befeecc8d3914 Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/ezsystems/ezplatform-http-cache/security/advisories/GHSA-mgfg-7533-7jf6 https://www.breachattack.com/ References https://github.com/ezsystems/ezplatform-http-cache/security/advisories/GHSA-mgfg-7533-7jf6 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7 https://github.com/i...
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[ibexa/post-install] ibexa/post-install affected by Breach with Varnish VCL
Description: Impact This is not a vulnerability in the code per se, but included platform.sh Varnish VCL templates and Apache/Nginx vhost templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Patches See "Patched versions". v1.0: https://github.com/ibexa/post-install/commit/d91cc02623dd3263a99a94ace133c95e48909e5d v4.6: https://github.com/ibexa/post-install/commit/ae7c3c2081a862c75b90828f08bd74436ceb8fe8 Workarounds Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets. References Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates Release notes v3.3: https://doc.ibexa.co/en/latest/update_and_migration/from_3.3/update_from_3.3/#v3341 Release notes v4.6: https://doc.ibexa.co/en/latest/update_and_migration/from_4.6/update_from_4.6/#v4614 https://github.com/ezsystems/ezplatform-http-cache/security/advisories/GHSA-mgfg-7533-7jf6 https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw https://www.breachattack.com/ References https://github.com/ezsystems/ezplatform-http-cache/security/advis...
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)
[simplesamlphp/simplesamlphp] SimpleSAMLphp vulnerable to XXE in parsing SAML messages
Description: Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 Background / details To be published on Dec 8th References https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-j5g2-q29x-cw3h https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm https://nvd.nist.gov/vuln/detail/CVE-2024-52596 https://github.com/advisories/GHSA-j5g2-q29x-cw3h
Source: Github Advisory Database (Composer)
December 3rd, 2024 (5 months ago)