- Issue created by @prudloff
The moha_libs folder contains libraries with known vulnerabilities:
Found 21 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/guzzle |
| Severity | high |
| CVE | CVE-2022-31091 |
| Title | Change in port should be considered a change in origin |
| URL | https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 |
| Affected versions | >=7,<7.4.5|>=4,<6.5.8 |
| Reported at | 2022-06-20T22:24:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/guzzle |
| Severity | high |
| CVE | CVE-2022-31090 |
| Title | CURLOPT_HTTPAUTH option not cleared on change of origin |
| URL | https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r |
| Affected versions | >=7,<7.4.5|>=4,<6.5.8 |
| Reported at | 2022-06-20T22:24:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/guzzle |
| Severity | high |
| CVE | CVE-2022-31043 |
| Title | Fix failure to strip Authorization header on HTTP downgrade |
| URL | https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q |
| Affected versions | >=7,<7.4.4|>=4,<6.5.7 |
| Reported at | 2022-06-09T23:36:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/guzzle |
| Severity | high |
| CVE | CVE-2022-31042 |
| Title | Failure to strip the Cookie header on change in host or HTTP downgrade |
| URL | https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 |
| Affected versions | >=7,<7.4.4|>=4,<6.5.7 |
| Reported at | 2022-06-09T23:36:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/guzzle |
| Severity | high |
| CVE | CVE-2022-29248 |
| Title | Cross-domain cookie leakage |
| URL | https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 |
| Affected versions | >=7,<7.4.3|>=4,<6.5.6 |
| Reported at | 2022-05-25T13:21:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| CVE | CVE-2023-29197 |
| Title | Improper header validation |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw |
| Affected versions | >=2,<2.4.5|<1.9.1 |
| Reported at | 2023-04-17T16:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | guzzlehttp/psr7 |
| Severity | medium |
| CVE | CVE-2022-24775 |
| Title | Inproper parsing of HTTP headers |
| URL | https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 |
| Affected versions | >=2,<2.1.1|<1.8.4 |
| Reported at | 2022-03-20T13:44:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpmailer/phpmailer |
| Severity | high |
| CVE | CVE-2021-34551 |
| Title | RCE affecting Windows hosts via UNC paths to translation files |
| URL | https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0 |
| Affected versions | <6.5.0 |
| Reported at | 2021-06-16T16:20:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpmailer/phpmailer |
| Severity | low |
| CVE | CVE-2021-3603 |
| Title | Untrusted code may be run from an overridden address validator |
| URL | https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0 |
| Affected versions | <6.5.0 |
| Reported at | 2021-06-16T16:20:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpmailer/phpmailer |
| Severity | high |
| CVE | CVE-2020-13625 |
| Title | Insufficient output escaping of attachment names in PHPMailer |
| URL | https://github.com/advisories/GHSA-f7hx-fqxw-rvvj |
| Affected versions | <6.1.6 |
| Reported at | 2020-05-27T16:37:02+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-48917 |
| Title | XXE in PHPSpreadsheet's XLSX reader |
| URL | https://github.com/advisories/GHSA-7cc9-j4mv-vcjp |
| Affected versions | >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Reported at | 2024-11-18T20:01:46+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-47873 |
| Title | XmlScanner bypass leads to XXE |
| URL | https://github.com/advisories/GHSA-jw4x-v69f-hh5w |
| Affected versions | >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Reported at | 2024-11-18T20:01:20+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45293 |
| Title | XXE in PHPSpreadsheet's XLSX reader |
| URL | https://github.com/advisories/GHSA-6hwr-6v2f-3m88 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:52+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45292 |
| Title | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript |
| | hyperlinks |
| URL | https://github.com/advisories/GHSA-r8w8-74ww-j4wh |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:25+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45291 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in |
| | HTML writer when embedding images is enabled |
| URL | https://github.com/advisories/GHSA-w9xv-qf98-ccq4 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:06+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45290 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery |
| | when opening XLSX file |
| URL | https://github.com/advisories/GHSA-5gpr-w2p5-6m37 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:57:38+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45060 |
| Title | PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file |
| URL | https://github.com/advisories/GHSA-v66g-p9x6-v98p |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T14:43:30+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45048 |
| Title | XXE in PHPSpreadsheet encoding is returned |
| URL | https://github.com/advisories/GHSA-ghg6-32f9-2jp7 |
| Affected versions | >=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1 |
| Reported at | 2024-08-29T17:58:27+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45046 |
| Title | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style |
| | information |
| URL | https://github.com/advisories/GHSA-wgmf-q9vr-vww6 |
| Affected versions | <1.29.1|>=2.0.0,<2.1.0 |
| Reported at | 2024-08-29T17:56:56+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2020-7776 |
| Title | XSS Vulnerability in HTML Writer |
| URL | https://github.com/PHPOffice/PhpSpreadsheet/pull/1719 |
| Affected versions | <1.16.0 |
| Reported at | 2020-12-31T19:20:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2019-12331 |
| Title | XXE Vulnerability |
| URL | https://github.com/PHPOffice/PhpSpreadsheet/pull/1041 |
| Affected versions | <1.8.0 |
| Reported at | 2019-07-01T12:55:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Run composer audit in modules/moha_libs/.
The libraries should be updated.
Active
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.