Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-7j9p-67mm-5g87: LTI 1.3 Grade Pass Back Implementation has Missing Authorization Vulnerability

### Problem TL;DR: Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows or can guess the block location for that XBlock. In LTI 1.3, LTI tools can "pass back" scores that learners earn while using LTI tools to the edX platform. The edX platform then stores those LTI scores in a separate table. If the right conditions are met, these scores are then persisted to the LMS grades tables. LTI tools can create what are called "line items" on the edX platform. A line item can be thought of as a column in a grade book; it stores results for a specific activity (i.e. XBlock) for a specific set of users (i.e. users in the course using the XBlock). A line item has an optional resource_link_id field, which is basically the XBlock location. An LTI tool can supply any value for this field. An LTI tool submits scores to the edX platform for line items. The code that uploads that score to the LMS grade tables determines which XBlo...

ghsa
#vulnerability#git#auth
GHSA-wh2w-39f4-rpv2: Hyperledger Indy's update process of a DID does not check who signs the request

# Name Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. # Description A malicious DID with no particular role can ask an update for another DID (but cannot modify its verkey or role). This is bad because: 1. Any DID can write a nym transaction to the ledger (i.e., any DID can spam the ledger with nym transactions). 1. Any DID can change any other DID's alias. 1. The update transaction modifies the ledger metadata associated with a DID. # Expected vs Observed We expect that if a DID (with no role) wants to update another DID (not its own or one it is the endorser), then the nodes should refuse the request. We can see that requirements in the [Indy default auth_rules](https://github.com/hyperledger/indy-node/blob/master/docs/source/auth_rules.md) in Section "Who is the owner" in the last point of "Endorser using". We observe that with a normal DID, we can update the field `from` for a random DID, ...

GNUnet P2P Framework 0.22.0

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.

Water Billing Management System 1.0 Cross Site Request Forgery / File Upload

Water Billing Management System version 1.0 suffers from a cross site request forgery that enables an arbitrary file upload.

Webpay E-Commerce 1.0 Directory Traversal

Webpay E-Commerce version 1.0 suffers from a directory traversal vulnerability.

WordPress GetYourGuide Ticketing 1.0.6 Cross Site Scripting

WordPress GetYourGuide Ticketing plugin version 1.0.6 suffers from a cross site scripting vulnerability.

WordPress SeatReg 1.54.0 Open Redirection

WordPress SeatReg plugin version 1.54.0 suffers from an open redirection vulnerability.

WordPress WP Event Manager 3.1.44 Cross Site Scripting

WordPress WP Event Manager plugin version 3.1.44 suffers from a cross site scripting vulnerability.

Cyberattackers Exploit Google Sheets for Malware Control in Likely Espionage Campaign

Cybersecurity researchers have uncovered a novel malware campaign that leverages Google Sheets as a command-and-control (C2) mechanism. The activity, detected by Proofpoint starting August 5, 2024, impersonates tax authorities from governments in Europe, Asia, and the U.S., with the goal of targeting over 70 organizations worldwide by means of a bespoke tool called Voldemort that's equipped to