Vulnerabilities

# Active Storage allowed transformation methods potentially unsafe<br /> <br /> Active Storage attempts to prevent the use of potentially unsafe image<br /> transformation methods and parameters by default.<br /> <br /> The default allowed list contains three methods allow for the circumvention<br /> of the safe defaults which enables potential command injection<br /> vulnerabilities in cases where arbitrary user supplied input is accepted as<br /> valid transformation methods or parameters.<br /> <br /> <br /> Impact<br /> ------<br /> This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.<br /> <br /> Vulnerable code will look something similar to this:<br /> ```<br /> params[:v]) %&gt;<br /> ```<br /> <br /> Where the transformation method or its arguments are untrusted arbitrary input.<br /> <br /> All users running an affected release should either upgrade or use one of the workarounds immediately.<br /> <br /> <br /> <br /> Workarounds<br /> -----------<br /> Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.<br /> <br /> Strict validation of user supplied methods and parameters should be performed<br /> as well as having a strong [ImageMagick security<br /> policy](https://imagemagick.org/script/security-policy.php) deployed.<br /> <br /> Credits<br /> -------<br /> <br /> Thank you [lio346](https://hackerone.com/lio346) for reporting this!

LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base &gt; File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue.

Improper Neutralization of Special Elements used in an Expression Language Statement (&amp;#39;Expression Language Injection&amp;#39;) vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

Salt&amp;#39;s junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data.  <br /> <br /> The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.

A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used.

Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service

A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.