Updated advisory posts against rubysec/ruby-advisory-db@0ecf8d7

Author: jasnow

advisories/_posts/2026-03-10-CVE-2026-1776.md

@@ -0,0 +1,41 @@
+---
+layout: advisory
+title: 'CVE-2026-1776 (camaleon_cms): Camaleon CMS vulnerable to Path Traversal through
+  AWS S3 uploader implementation'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  cve: 2026-1776
+  ghsa: jw5g-f64p-6x78
+  url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776
+  title: Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation
+  date: 2026-03-10
+  description: |
+    Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e,
+    contain a path traversal vulnerability in the AWS S3 uploader
+    implementation that allows authenticated users to read arbitrary
+    files from the web server’s filesystem. The issue occurs in the
+    download_private_file functionality when the application is
+    configured to use the CamaleonCmsAwsUploader backend. Unlike the
+    local uploader implementation, the AWS uploader does not validate
+    file paths with valid_folder_path?, allowing directory traversal
+    sequences to be supplied via the file parameter. As a result, any
+    authenticated user, including low-privileged registered users, can
+    access sensitive files such as /etc/passwd. This issue represents a
+    bypass of the incomplete fix for CVE-2024-46987 and affects
+    deployments using the AWS S3 storage backend.
+  cvss_v4: 6.0
+  unaffected_versions:
+  - "< 2.4.5.0"
+  notes: Never patched; last release was 2.9.1
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1776
+    - https://github.com/owen2345/camaleon-cms/pull/1127
+    - https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af
+    - https://camaleon.website
+    - https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read
+    - https://github.com/advisories/GHSA-jw5g-f64p-6x78
+---

advisories/_posts/2026-03-11-CVE-2026-31830.md

@@ -0,0 +1,64 @@
+---
+layout: advisory
+title: 'CVE-2026-31830 (sigstore): sigstore-ruby verifier returns success for DSSE
+  bundles with mismatched in-toto subject digest'
+comments: false
+categories:
+- sigstore
+advisory:
+  gem: sigstore
+  cve: 2026-31830
+  ghsa: mhg6-2q2v-9h2c
+  url: https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c
+  title: sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto
+    subject digest
+  date: 2026-03-11
+  description: |
+    ### Summary
+
+    `Sigstore::Verifier#verify` does not propagate the `VerificationFailure`
+    returned by `verify_in_toto` when the artifact digest does not match
+    the digest in the in-toto attestation subject. As a result, verification
+    of DSSE bundles containing in-toto statements returns `VerificationSuccess`
+    regardless of whether the artifact matches the attested subject.
+
+    ### Details
+
+    In `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto`
+    (line 176) without capturing or checking its return value:
+
+    `verify_in_toto(input, in_toto)`
+
+    When `verify_in_toto` detects a digest mismatch, it returns a
+    `VerificationFailure` object. Because the caller discards this
+    return value, execution unconditionally falls through to return
+    `VerificationSuccess`. This is the only verification sub-check in
+    the method (out of 12) whose failure is not propagated.
+
+    The message_signature code path is not affected.
+
+    ### Impact
+
+    An attacker who possesses a valid signed DSSE bundle containing an
+    in-toto attestation for artifact A can present it as a valid attestation
+    for a different artifact B. All other verification checks (DSSE envelope
+    signature, certificate chain, Rekor inclusion, SCTs, policy) pass because
+    they are independent of the artifact content. Only the in-toto subject
+    digest check detects the mismatch, and its result is discarded.
+
+    This allows an attacker to bypass artifact-to-attestation binding for
+    any consumer that relies on `Sigstore::Verifier#verify` to validate
+    DSSE/in-toto bundles.
+
+    ### Workarounds
+
+    None. Consumers cannot work around this without patching the library.
+  cvss_v3: 7.5
+  patched_versions:
+  - ">= 0.2.3"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-31830
+    - https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c
+    - https://github.com/advisories/GHSA-mhg6-2q2v-9h2c
+---

advisories/_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md

@@ -0,0 +1,46 @@
+---
+layout: advisory
+title: 'GHSA-qmpg-8xg6-ph5q (action_text-trix): Trix has a Stored XSS vulnerability
+  through serialized attributes'
+comments: false
+categories:
+- action_text-trix
+advisory:
+  gem: action_text-trix
+  ghsa: qmpg-8xg6-ph5q
+  url: https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
+  title: Trix has a Stored XSS vulnerability through serialized attributes
+  date: 2026-03-12
+  description: |
+    ### Impact
+
+    The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS
+    attacks when a `data-trix-serialized-attributes` attribute bypasses
+    the DOMPurify sanitizer.
+
+    An attacker could craft HTML containing a `data-trix-serialized-attributes`
+    attribute with a malicious payload that, when the content is rendered,
+    could execute arbitrary JavaScript code within the context of the user's
+    session, potentially leading to unauthorized actions being performed
+    or sensitive information being disclosed.
+
+    ### Patches
+
+    Update Recommendation: Users should upgrade to Trix editor
+    version 2.1.17 or later.
+
+    ### References
+
+    The XSS vulnerability was responsibly reported by Hackerone
+    researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
+  cvss_v3: 4.6
+  patched_versions:
+  - ">= 2.1.17"
+  related:
+    url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
+    - https://github.com/basecamp/trix/releases/tag/v2.1.17
+    - https://github.com/basecamp/trix/pull/1282
+    - https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
+    - https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
+---