GHSA-C3WQ-J5VH-68RC Hugo: Symlink confinement bypass in os.ReadFile

Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected. Fixed in: v0.163.1. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/...

GHSA-Q76J-GCG9-VXC6 Hugo: XSS via unescaped code-fence language in default code block renderer

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the wrapper without HTML escaping. A fence info-string containing a quote and a payload breaks out of the attribute and injects a live script element. This is not an issue if you fully trust every file...

MINI-WCWJ-3MHH-W2X3

Bulletin has no description...

MINI-V922-9VJ5-Q46Q

Bulletin has no description...

MINI-67H9-FR9H-WXFH

Bulletin has no description...

MINI-CXF8-GCHF-G7JQ

Bulletin has no description...

MINI-9W9R-95FW-J7H9

Bulletin has no description...

MINI-FWV7-JJ44-2FM8

Bulletin has no description...

MINI-VHVX-F4H8-PH74

Bulletin has no description...

MINI-G994-V9XV-8C3M

Bulletin has no description...

MINI-5R88-44X7-8HCV

Bulletin has no description...

MINI-F3XP-FW2M-M535

Bulletin has no description...

MINI-22RW-G55C-PW46

Bulletin has no description...

MINI-MC6J-6794-2VM5

Bulletin has no description...

MINI-2G6C-445G-7764

Bulletin has no description...

MINI-9FW4-57RR-X52Q

Bulletin has no description...

MINI-XWHV-M24F-59M2

Bulletin has no description...

MINI-V3CG-8FC7-C3QM

Bulletin has no description...

MINI-677G-45WV-G5G4

Bulletin has no description...

MINI-233J-5PG3-FR3V

Bulletin has no description...

MINI-FP5W-Q9QQ-F98X

Bulletin has no description...

MINI-5H3G-JMG3-VXVQ

Bulletin has no description...

MINI-G7XC-QMQ8-PW4C

Bulletin has no description...

MINI-X2QX-RRGC-PFQP

Bulletin has no description...

MINI-8GVH-G92Q-743F

Bulletin has no description...

MINI-J4RH-6PH2-PF9X

Bulletin has no description...

MINI-6PP2-9VRC-PRX5

Bulletin has no description...

MINI-QVRC-24P2-6H52

Bulletin has no description...

MINI-RGMH-7727-8XJW

Bulletin has no description...

MINI-889V-6GFM-7M7F

Bulletin has no description...

MINI-MQGP-3J83-CWJ6

Bulletin has no description...

MINI-276P-6XPV-6Q2X

Bulletin has no description...

MINI-M4H8-9RF3-HX4R

Bulletin has no description...

MINI-8C35-V7X2-RCFQ

Bulletin has no description...

MINI-JF27-R57W-626G

Bulletin has no description...

MINI-V7PH-435G-9478

Bulletin has no description...

GHSA-PHWJ-RPRQ-35PP Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`

Summary Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attrvalue= could free the underlying native child node while the wrapper remained...

MINI-5H44-RPQ5-3FQR

Bulletin has no description...

GHSA-WFPW-MMFH-QQ69 Nokogiri: Possible Use-After-Free in XInclude Processing

Summary XInclude substitution performed by Nokogiri::XML::Nodedoxinclude replaced each in place, freeing the include node along with its children such as and its descendants and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the...

MINI-6M27-8Q5R-56P2

Bulletin has no description...

GHSA-9CV2-CFXC-V4V2 Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes

Summary Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. Nokogiri 1.19.4 checks for missing native data pointers and raises a...

GHSA-8678-W3JW-XFC2 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

Summary The NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potential...

GHSA-Q7J3-V8QV-22VQ OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL

Impact Possible data exposure. Summary While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read. This might allow disclosure of confidential information. Details OpenTofu relies on go-getter for downloading packages like...

MINI-FM55-4Q8C-72V8

Bulletin has no description...

MINI-6PV8-2JHJ-6VPG

Bulletin has no description...

MINI-F6QX-FX4X-P57J

Bulletin has no description...

MINI-9GMH-MR8V-66X8

Bulletin has no description...

MINI-QM95-378V-2FPP

Bulletin has no description...

MINI-F253-HX56-PHV7

Bulletin has no description...

MINI-F889-F844-67CC

Bulletin has no description...