Comparison Overview

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow API access authentication setting needs to be enabled by the instance administrator beforehand for the attack to work as it relies on api/query.php. An account takeover is possible by sending a change password request via the XSS payload / setting UserJS for persistence / stealing the autofill password / displaying a phishing page with a spoofed URL using history.replaceState() If the victim is an administrator, the attacker can also perform administrative actions. This issue is fixed in version 1.27.0.

• https://github.com/FreshRSS/FreshRSS/commit/7df6c201f2e6a6521d20718dfd8d9794c7437d1f
• https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
• https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-rwhf-vjjx-gmm9

go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.6 and below, go-f3 panics when it validates a "poison" messages causing Filecoin nodes consuming F3 messages to become vulnerable. A "poison" message can can cause integer overflow in the signer index validation, which can cause the whole node to crash. These malicious messages aren't self-propagating since the bug is in the validator. An attacker needs to directly send the message to all targets. This issue is fixed in version 0.8.7.

• https://github.com/filecoin-project/go-f3/security/advisories/GHSA-g99p-47x7-mq88

go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). In versions 0.8.8 and below, go-f3's justification verification caching mechanism has a vulnerability where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by submitting a valid message with a correct justification and then reusing the same cached justification in contexts where it would normally be invalid. This occurs because the cached verification does not properly validate the relationship between the justification and the specific message context it's being used with. This issue is fixed in version 0.8.9.

• https://github.com/filecoin-project/go-f3/commit/76fff18cf07b21baccf537024bdb2fb41f75f6e2#diff-e1f646cea41790e1642e4e649c9e3c526344736d67222201703e1c29c23e9625
• https://github.com/filecoin-project/go-f3/security/advisories/GHSA-7pq9-rf9p-wcrf

mkdocs-include-markdown-plugin is an Mkdocs Markdown includer plugin. In versions 7.1.7 and below, there is a vulnerability where unvalidated input can collide with substitution placeholders. This issue is fixed in version 7.1.8.

• https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915
• https://github.com/mondeja/mkdocs-include-markdown-plugin/issues/274
• https://github.com/mondeja/mkdocs-include-markdown-plugin/pull/277
• https://github.com/mondeja/mkdocs-include-markdown-plugin/security/advisories/GHSA-v39m-5m9j-m9w9

go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1

• https://github.com/wneessen/go-mail/commit/42e92cfe027be04aff72921adb0f72f11d517479
• https://github.com/wneessen/go-mail/issues/495
• https://github.com/wneessen/go-mail/pull/496
• https://github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5