Lnielsen

**Nome do software vulnerável e versões afetadas: Versões do Invenio-Drafts-Resources anteriores à 0.13.7 e à 0.14.6 Descrição: O Invenio-Drafts-Resources é um módulo de envio/depósito para o Invenio, uma estrutura de software para gestão de dados de pesquisa. O problema decorre de verificações de permissão inadequadas quando um registro é publicado, tornando-o vulnerável em uma instalação padrão do InvenioRDM. Um usuário autenticado pode publicar rascunhos de registros de outros usuários por meio de chamadas de API REST, caso conheça o identificador do registro e o rascunho seja validado. No entanto, o invasor não pode modificar os dados no registro, como alterar um registro de restrito para público. Recomendações: Para versões do Invenio-Drafts-Resources anteriores à 0.13.7, atualize para a versão 0.13.7 ou posterior. Para versões do Invenio-Drafts-Resources anteriores à 0.14.6, atualize para a versão 0.14.6 ou posterior. Como solução temporária, considere restringir o acesso aos pontos de extremidade da API REST relacionados à publicação de registros preliminares até que um patch seja aplicado.

Name of the Vulnerable Software and Affected Versions: Invenio-App versions prior to 1.1.1 Description: A host header injection attack has been identified in Invenio-App. This issue can be exploited if the web server is configured to route all requests to the application, the `APP ALLOWED HOSTS` configuration variable is relied upon to whitelist allowed host headers, and Flask's `request.host` is not evaluated during request handling. This can occur in views that do not evaluate `request.host`, such as those using `url for` to generate external URLs. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Recommendations: For Invenio-App versions prior to 1.1.1, upgrade to version 1.1.1 or later to fully fix the issue. As a temporary workaround, configure your web server to ensure that it never routes requests with a wrong host header to your application. This can be achieved by defining two virtual hosts: a default virtual host that acts as a catch-all and an application virtual host that is configured to only reply to a whitelist of host headers. Alternatively, include the following code snippet in your application to force evaluation of `request.host`: ```python @app.before request def before request(): request.host ```

Name of the Vulnerable Software and Affected Versions: invenio-previewer versions prior to 1.0.0a12 Description: A Cross-Site Scripting (XSS) issue has been found in the JSON, Markdown, and iPython Notebook previewers. This would allow a malicious user to upload a file with embedded scripts that would be executed by a victim's browser. Recommendations: For versions prior to 1.0.0a12, update to version 1.0.0a12 to fix the issue. As a temporary workaround, consider disabling the affected previewers by modifying the configuration to exclude 'json prismjs', 'mistune', and 'ipynb' from PREVIEWER PREFERENCE.