#auth

exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication.

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Online Traffic Offense version 1.0 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files not intended to be served. Users are strongly advised to update to the latest version of Mesop immediately. The latest version includes a fix for this vulnerability. We would like to thank @Letm3through for reporting this issue and proposing mitigations to address this issue.

## Background Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected For example, given this schema: ``` definition user {} caveat somecaveat(somefield int) { somefield == 42 } definition group { relation member: user } definition resource { relation viewer: group#member with somecaveat permission view = folder->view } ``` If the resource has multiple groups, and each group is caveated, it is possible for the returned permission to be "no permission" when permission is expected. ## Impact Permission is returned as NO_PERMISSION when PERMISSION is expected on the CheckPermission API. ## Workarounds Do not use caveats or do not use caveats on an indirect subject type with multiple entries

### Impact If you're relying on blocking access to localhost using the default `0.0.0.0` filter this can be bypassed using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`) ### Workaround You can block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.

Despite security updates to protect data, 45% of total enterprise instances of the cloud-based IT management platform leaked PII, internal system details, and active credentials over the past year.

Scammers are creating fake Walmart virtual shopping lists that look like a contact page for customer service.

### Impact A bad regular expression is generated any time you have two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. ### Patches Update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. ### Workarounds No known workarounds. ### References - [CVE-2024-45296](https://github.com/advisories/GHSA-9wv6-86v2-598j) - [Detailed blog post about `path-to-regexp` vulnerability](https://blakeembrey.com/posts/2024-09-web-redos/)

The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. Arbitrary file deletion can be exploited with following code path: The parameter folder flows from the actions method: ```ruby def actions authorize! :manage, :media if params[:media_action] != 'crop_ur...