#git

### Impact（影響） There is an Access control vulnerability on the management system of Connect-CMS. Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier ### Patches（修正バージョン） version v1.8.7, v2.4.7 ### Workarounds（運用回避手段） Upgrade Connect-CMS to latest version

Version [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag. This prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references. It was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. The `xml2rfc <= 3.26.0` behaviour: | | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` | |---|---|---|---|---| | without `--allow-local-file-access` flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below | | with `--allow...

### Impact SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. ### Patches This issue was fixed in version v2.6.5 by checking the client provided arguments. https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1

Description Summary Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not. Details -> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented. PoC  Enter first a valid account email address and click on submit  A green message validating the account exists is shown and a login link is sent to the email  now go back and use a random email from temp-mail to test with a non existant account  ![image]...

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

India's central bank, the Reserve Bank of India (RBI), said it's introducing an exclusive "bank.in" internet domain for banks in the country to combat digital financial fraud. "This initiative aims to reduce cyber security threats and malicious activities like phishing; and, streamline secure financial services, thereby enhancing trust in digital banking and payment services," the RBI said in a

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.