Tag
#git
### Impact In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to access mitmweb's internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network. ### Patches The vulnerability has been fixed in mitmproxy 11.1.2 and above. ### Acknowledgements We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audi...
UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…
Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.
A technical overview of Cisco Talos' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.
Malvertisers got inspired by the website for a German university to bypass ad security and distribute malware.
The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer…
### Summary The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability. ### Details The value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81 ### PoC https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E  ### Impact An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser. Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an...
### Summary While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context. ### Details While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter. <img width="1145" alt="image" src="https://github.com/user-attachments/assets/a08a3fe5-2fbd-4a05-b93c-2ad127e6ee81" /> Last part of compileSvelte function ssrStr parameter executed in v8go engine. <img width="754" alt="image" src="https://github.com/user-attachments/assets/4e622761-3324-48d6-8264-6dd6e09055af" /> This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop ...
### Impact Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker. If network traffic is redirected from the legitimate coordinator to the attacker's coordinator, a workload owner is susceptible to impersonation if either * they `set` a new manifest and don't compare the root CA cert with the existing one (this is the default of the `contrast` CLI) or * they `verify` the coordinator and don't compare the root CA cert with a trusted reference. Under these circumstances, the attacker can: * Issue certificates that chain back to the attacker coordinator's root CA. * Recover arbitrary workload secrets of workloads deployed after the attack. This issue does **not** affect the following: * secrets of the legitimate coordinator (seed, workload secrets, CA) * integrity of workloads, even when used with the rogue coordinator...
The env option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.