Latest News
### Impact - Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0). - Impact by version - v1.8.0 ~ v1.8.3: It will be displayed in the text. - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link. - Target viewing restriction function - Frame publishing function (private, limited publishing) - IP Restriction Page - Password setting page ### Patches (fixed version) - Apply v1.8.4. ### Workarounds - Remove the site search (e.g. hide frames).。 ### References none
### Impact(影響) There is an Access control vulnerability on the management system of Connect-CMS. Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier ### Patches(修正バージョン) version v1.8.7, v2.4.7 ### Workarounds(運用回避手段) Upgrade Connect-CMS to latest version
Version [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag. This prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references. It was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. The `xml2rfc <= 3.26.0` behaviour: | | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` | |---|---|---|---|---| | without `--allow-local-file-access` flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below | | with `--allow...
### Impact SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. ### Patches This issue was fixed in version v2.6.5 by checking the client provided arguments. https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1
The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.
Description Summary Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not. Details -> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented. PoC  Enter first a valid account email address and click on submit  A green message validating the account exists is shown and a login link is sent to the email  now go back and use a random email from temp-mail to test with a non existant account  ![image]...
Five years after a Russian APT infiltrated a software update to gain access to thousands of SolarWinds customers, the board has voted unanimously to sell at a top valuation and plans for uninterrupted operations.
Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.
Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…