Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-r55c-59qm-vjw6: REXML DoS vulnerability

### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

ghsa
Open in Source
#vulnerability#web#git#ruby
GHSA-hrmx-8jjv-g758: Navidrome uses MD5 hashing algorithm

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

GHSA-3cpf-jmmc-8jm3: Concrete CMS vulnerable to Stored Cross-site Scripting

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

'Sitting Ducks' Attacks Create Hijacking Threat for Domain Name Owners

Researchers say the attacks are easy to perform, difficult to contact, nearly unrecognizable, and "entirely preventable."

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

GHSA-67fw-w8f2-88wp: casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the `ssh.InsecureIgnoreHostKey()` method.

GHSA-vw7g-3cc7-7rmh: cortex establishes TLS connections with `InsecureSkipVerify` set to `true`

A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.

There is no real fix to the security issues recently found in GitHub and other similar software

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

GHSA-vg67-chm7-8m3j: Mattermost allows remote actor to create/update/delete posts in arbitrary channels

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels

GHSA-vg6q-84p8-qvqh: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.