Latest News

The FTC is targeting data brokers that monitored people’s movements during protests and around US military installations. But signs suggest the Trump administration will be far more lenient.

Stanislav Moiseyev, the organizer of the notorious Hydra Market, has been sentenced to life imprisonment by a Moscow court. Learn about the massive scale of this dark web marketplace and the international efforts to dismantle it.

When programmer Micah Lee was kicked off X for a post that offended Elon Musk, he didn't look back. His new tool for saving and deleting your X posts can give you that same sweet release.

### Summary The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability. ### Details I found a Stored Cross-Site Scripting vulnerability in the "Diff or Compare" functionality. This issue occurs because the upload functionality allows users to upload files with special characters such as <, >, /, and " in the filename. This vulnerability can be mitigated by restricting file uploads to filenames containing only whitelisted characters, such as A-Z, 0-9, and specific special characters permitted by business requirements, like - or _ . ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ 1. On MobSF version 4.2.8, I clicked on "Unload & Analyze" button. ![0](https://github.com/user-attachments/assets/489013...

### Impact The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. ### Patches Synapse version 1.120.1 fixes the problem. ### Workarounds Disable Sliding Sync. ### References https://github.com/matrix-org/matrix-spec-proposals/pull/4186 https://github.com/element-hq/synapse/blob/d80cd57c54427687afcb48740d99219c88a0fff1/synapse/config/experimental.py#L341-L344 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).

### Impact In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. For a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html). ### Patches Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. ### Workarounds - Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities. - Uninst...

### Summary The `/debug/querylogz` and `/debug/env` pages for `vtgate` and `vttablet` do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. ### Details These pages are rendered using `text/template` instead of rendering with a proper HTML templating engine. ### PoC Execute any query where part of it is HTML markup, for example as part of a string. To make it easier to observe you might want to make sure the query takes a few seconds to complete, giving you time to refresh the status page. Example query that can trigger the issue: ```sql UPDATE users SET email = CONCAT("<img src=https://cataas.com/cat/says/oops>", users.idUser, "@xxx") WHERE email NOT LIKE '%xxx%' AND email != "[email protected]" ``` Result:  ### Impact Anyone looking at the Vitess status page is affected. This would normally be owners / admi...

### Impact Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's `/sync` functionality. ### Patches Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. ### Workarounds Server administrators can disable federation from untrusted servers. ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).

Consumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.

### Impact In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. ### Patches Synapse 1.120.1 resolves the issue by denying requests with unsupported `multipart/form-data` content type. ### Workarounds Limiting request sizes or blocking the `multipart/form-data` content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low `max_upload_size` in Synapse. ### References - https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518 - https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).