Multiple security vulnerabilities in WLED

[breakingsystems]

What happened?

I reported a number of vulnerabilities privately via the Github "Report a vulnerability" feature.
It has been over one week now without a response/acknowledgement.

Could one of the WLED maintainers please have a look at https://github.com/wled/WLED/security/advisories/GHSA-2xwq-cxqw-wfv8 and leave a comment there?

Thank you!

To Reproduce Bug

Check https://github.com/wled/WLED/security/advisories/GHSA-2xwq-cxqw-wfv8

Expected Behavior

Check https://github.com/wled/WLED/security/advisories/GHSA-2xwq-cxqw-wfv8

Install Method

Binary from WLED.me

What version of WLED?

Latest

Which microcontroller/board are you seeing the problem on?

ESP32

Relevant log/trace output

Anything else?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[softhack007]

Could one of the WLED maintainers please have a look at https://github.com/wled/WLED/security/advisories/GHSA-2xwq-cxqw-wfv8 and leave a comment there?

I get a "404 page not found" on your URL.

[breakingsystems]

That's strange. You should be in the "wled owners" group, and that group should have access:

Collaborators
Only the following users and teams can see and collaborate on this advisory:
@wled wled owners
@[breakingsystems ](https://github.com/breakingsystems)breakingsystems Author

So I assume you are also not seeing any security advisory at https://github.com/wled/WLED/security?

[softhack007]

@netmindz do you see page mentioned by @breakingsystems ?

[netmindz]

I have given an initial response, more details to follow.

TLDR: the critical has already been reported once before and had been fixed. I just need to double check that it did get back ported to 0.15.x

Other issues reported are very fairly basic rather than significant discoveries