Barakharyati

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions (affected versions not specified) **Description** Jellyfin is an open-source media system. The `code-quality.yml` GitHub Actions workflow in the `jellyfin/jellyfin-ios` repository is susceptible to arbitrary code execution through pull requests originating from forked repositories. The workflow possesses elevated permissions, granting nearly all write access. This allows for complete takeover of the `jellyfin/jellyfin-ios` repository, potential exfiltration of sensitive secrets, a possible Apple App Store supply chain attack, compromise of GitHub Container Registry (ghcr.io) packages, and full compromise of the Jellyfin organization through cross-repository token usage. This is a workflow issue, not a code-level flaw. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QGIS versions prior to commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 **Description** The QGIS repository contained a GitHub Actions workflow named "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was susceptible to remote code execution and potential repository compromise. The workflow utilized the `pull request target` trigger, which allowed it to check out and execute code from untrusted pull requests within a privileged context. This meant that workflows ran with the base repository's credentials and access to secrets. An attacker could potentially execute arbitrary commands with elevated privileges by controlling the code within a pull request. This pattern is recognized as a security risk by GitHub and security researchers. **Recommendations** Update the QGIS repository to a version including commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 or later.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Parse Server anteriores à 8.6.0-alpha.2 **Descrição** O Parse Server é um backend de código aberto implantável em infraestruturas Node.js. Um fluxo de trabalho de CI do GitHub pode ser disparado de maneira que conceda permissões elevadas ao fluxo de trabalho do GitHub Actions, proporcionando acesso a segredos do GitHub e permissões de gravação definidos dentro do fluxo de trabalho. Código originado de um fork ou scripts de ciclo de vida podem ser incluídos. A área afetada limita-se à infraestrutura de CI/CD do repositório, incluindo forks públicos do GitHub com GitHub Actions habilitado. **Recomendações** Atualize o Parse Server para a versão 8.6.0-alpha.2 ou posterior.