Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-52cw-pvq9-9m5v: Silverstripe uses TinyMCE which allows svg files linked in object tags

### Impact TinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `<object>` or `<embed>` tags, which can be used as a vector for XSS attacks. Note that `<embed>` tags are not allowed by default. After patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `<object>` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `<object>` tags. Developers can override this configuration if desired to revert to the original behaviour. We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS. ### References: - https://www.silverstripe.org/download/security-releases/ss-2024-001 - https://github.com/advisories/GHSA-5359-pvf2-pw78

ghsa
#xss#vulnerability#git#java
GHSA-vmcp-66r5-3pcp: Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error

### Summary When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. ### Details Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: `DiscoveryClient.cs` Line number: 325 Code in question: `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` Error message in logs: `FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:[email protected]:443/eureka` I thought `new Uri(clientOptions.EurekaServerServiceUrls)` would throw a `UriFormatException` since there are multiple URLs but my logs are showing two URLs regardless. ### PoC 1. Set Eureka config with multiple server URLs with basic auth 2. Apologies for not being more descriptive fo...

GHSA-p3f3-5ccg-83xq: dbt has an implicit override for built-in materializations from installed packages

### Impact _What kind of vulnerability is it? Who is impacted?_ When a user installs a [package](https://docs.getdbt.com/docs/build/packages) in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Fixed on 1.8.0, and patched for 1.6.14 and 1.7.14 releases. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Previously, a materialization defined in a package that shared a name with one of the built-in materializations would be preferred by default, without user action which is surprising and makes it more difficult to detect the insecure behaviour. We've changed the default behaviour to require explicit overrides b...

Orgs Are Finally Making Moves to Mitigate GenAI Risks

With AI use ramping up rapidly, a growing number of enterprise security teams have begun putting controls in place to protect sensitive data from accidental exposure and leaks.

GHSA-ghgq-x6wc-6jr5: Zowe CLI allows storage of previously entered secure credentials in a plaintext file

A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.

GHSA-2rwm-xv5j-777p: Eclipse Parsson stack overflow when parsing deeply nested input

In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents.

'BadPack' APK Files Make Android Malware Hard to Detect

Manipulated header info within files, in mobile Trojans like TeaBot and others, makes it difficult for defenders to analyze and detect them.

GHSA-55rf-8q29-4g43: Sylius has a security vulnerability via adjustments API endpoint

### Impact A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. ### Patches The issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. ### Workarounds Using YAML configuration: Create `config/api_platform/Adjustment.yaml` file: ```yaml # config/api_platform/Adjustment.yaml '%sylius.model.adjustment.class%': itemOperations: shop_get: controller: ApiPlatform\Core\Action\NotFoundAction read: false output: false ``` Or using XML configuration: Copy the original configuration from vendor: ```bash cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/...

GHSA-chx7-9x8h-r5mg: Silverstripe Framework has a Cross-site Scripting vulnerability with encoded payload

### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack. ### References - https://www.silverstripe.org/download/security-releases/cve-2024-32981

GHSA-89q6-98xx-4ffw: Silverstripe Reports are still accessible even when `canView()` returns false

Reports can be accessed by their direct URL by any user who has access to view the reports admin section, even if the `canView()` method for that report returns `false`. ## References - https://www.silverstripe.org/download/security-releases/cve-2024-29885