CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37260 – league/oauth2-server key exposed in exception message when passing as string and providing invalid pass phrase
https://notcve.org/view.php?id=CVE-2023-37260
league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string. • https://github.com/thephpleague/oauth2-server/pull/1353 https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3 https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-32708 – Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem
https://notcve.org/view.php?id=CVE-2021-32708
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. • https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ https://packagist.org/packages/league/flysystem • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10010
https://notcve.org/view.php?id=CVE-2019-10010
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583. Vulnerabilidad Cross-Site Scripting (XSS) en la librería PHP League CommonMark, en versiones anteriores a la 0.18.3, permite que los atacantes remotos inserten enlaces inseguros en HTML mediante el uso de entidades HTML doblemente cifradas que no se escapan correctamente durante el renderizado. Esta vulnerabilidad es diferente de CVE-2018-20583. • https://github.com/thephpleague/commonmark/issues/353 https://github.com/thephpleague/commonmark/releases/tag/0.18.3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20583
https://notcve.org/view.php?id=CVE-2018-20583
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt). Vulnerabilidad Cross-Site Scripting (XSS) en la biblioteca PHP League CommonMark, desde la versión 0.15.6 hasta las 0.18.x anteriores a la 0.18.1, permite que atacantes remotos inserten URL inseguras en HTML (incluso aunque allow_unsafe_links sea falso) mediante un carácter de nueva línea (p.ej., escribiendo JavaScript como javascri%0apt). • https://commonmark.thephpleague.com/changelog https://github.com/thephpleague/commonmark/issues/337 https://github.com/thephpleague/commonmark/releases/tag/0.18.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •