#git

The `spam` project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time

opencv-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2.

opencv-contrib-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-contrib-python v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2.

opencv-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python-headless v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2.

opencv-contrib-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-contrib-python-headless v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2.

gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platforms, harvesting information and credentials from the user's system and sending them to a remote server. Services may include Mullvad VPN and Telegram.

The exotel project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time

Adyen has utility methods for validating notification HMAC signatures. The `is_valid_hmac` and `is_valid_hmac_notification` methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead.

### Summary GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. ### Details GeoNode's GeoServer has the ability to upload new styles for datasets through the [`dataset_style_upload` view](https://github.com/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/urls.py#L70-L72). ```py # https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159 @login_required def dataset_style_upload(request, layername): def respond(*args, **kw): kw['content_type'] = 'text/html' return json_response(*args, **kw) ... sld = request.FILES['sld'].read() # 1 sld_name = None try: # Check SLD is valid ... sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2 except Exception as e: respond(errors=f"The uploaded SLD file is not valid X...

### Problem TL;DR: Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows or can guess the block location for that XBlock. In LTI 1.3, LTI tools can "pass back" scores that learners earn while using LTI tools to the edX platform. The edX platform then stores those LTI scores in a separate table. If the right conditions are met, these scores are then persisted to the LMS grades tables. LTI tools can create what are called "line items" on the edX platform. A line item can be thought of as a column in a grade book; it stores results for a specific activity (i.e. XBlock) for a specific set of users (i.e. users in the course using the XBlock). A line item has an optional resource_link_id field, which is basically the XBlock location. An LTI tool can supply any value for this field. An LTI tool submits scores to the edX platform for line items. The code that uploads that score to the LMS grade tables determines which XBlo...