Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-rx9f-5ggv-5rh6: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

### Impact The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. ### Patches N/A ### Workarounds Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`) ### References OWASP ASVS v4.0.3-5.1.3

ghsa
Open in Source
#xss#git
Name That Toon: Tug of War

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Apple’s New Passwords App May Solve Your Login Nightmares

Apple is launching its first stand-alone password manager app in iOS 18. Here’s what you need to know.

GHSA-xgq9-7gw6-jr5r: Mattermost Desktop App fails to sufficiently configure Electron Fuses

Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.

GHSA-5777-rcjj-9p22: Mattermost Desktop App fails to safeguard screen capture functionality

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.

GHSA-46hr-3cq3-mcgp: OpenDaylight Authentication, Authorization and Accounting (AAA) peer impersonation vulnerability

An issue was discovered in OpenDaylight Authentication, Authorization and Accounting (AAA) through 0.19.3. A rogue controller can join a cluster to impersonate an offline peer, even if this rogue controller does not possess the complete cluster configuration information.

GHSA-wj4j-qc2m-fgh7: Mattermost Desktop App Uncontrolled Search Path Vulnerability

Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.

GHSA-3xq2-w6j4-c99r: Apache Seata Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.

GHSA-hv38-h5pj-c96j: OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries

In OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) through 13.0.1, a controller with a follower role can configure flow entries in an OpenDaylight clustering deployment.

GHSA-mrmh-3hqh-pfw7: Composio Code Injection Vulnerability

A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.