Latest News

### Summary Lack of CSRF protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row. ### Details The `com.google.refine.commands.expr.PreviewExpressionCommand` class contains the following comment: ``` /** * The command uses POST but does not actually modify any state so it does not require CSRF. */ ``` However, this appears to be false (or no longer true). The expression being previewed (executed) can be written in GREL, Python, or Clojure. Since there are no restrictions on what code can be executed, the expression can do anything the user running OpenRefine can do. For instance, the following expressions start a calculator: ``` clojure:(.exec (Runtime/getRuntime) "gnome-calculator") ``` ``` jython:import os;os.system("gnome-calculator") ```...

### Summary The `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. ### Details The `state` GET parameter is read from: * extensions/gdata/module/MOD-INF/controller.js:105 It is used (as `$state`) in: * extensions/gdata/module/authorized.vt:43 There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow. ### PoC Navigate to: http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error= An alert box pops up. The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client...

All SaaS and marketplace setups using Aimeos version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack

XSS vulnerability in Edit Email Form Settings Feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Edit Email Form Settings feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Ayato Shitomi＠Fore-Z

XSS vulnerability in Blog posts feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Blog posts feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Ayato Shitomi＠Fore-Z

XSS vulnerability in HTTP 400 Bad Request to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in HTTP 400 Bad Request. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083

XSS vulnerability in Blog posts and Contents list Feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Blog posts and Contents list feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Kyohei Ota@LEON TECHNOLOGY,Inc.

North Korean hackers from Lazarus Group exploited a zero-day vulnerability in Google Chrome to target cryptocurrency investors with…

Cybersecurity researchers have discovered an advanced version of the Qilin ransomware sporting increased sophistication and tactics to evade detection. The new variant is being tracked by cybersecurity firm Halcyon under the moniker Qilin.B. "Notably, Qilin.B now supports AES-256-CTR encryption for systems with AESNI capabilities, while still retaining Chacha20 for systems that lack this support

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue.