Tag
#git
### Summary --- Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack. ### PoC --- NocoDB was configured using the Release Binary `Noco-macos-arm64`, and nocodb version 0.202.9 (currently the latest version) was used. binary hash infos: md5(164b727f287af56168bc16fba622d0b4) / sha256(43e8e97f4c5f5330613abe071a359f84e4514b7186f92954b678087c37b7832e) <img width="665" alt="image" src="https://user-images.githubusercontent.com/86613161/287472673-aeb60a02-2080-429f-8583-9f130ab62779.png"> ### 1. Run the binary to start the server and access the arbitrary table dashboard. <img width="830" alt="image" src="https://user-images.githubusercontent.com/86613161/287472852-98b2286e-ad66-45bf-b503-63780619d775.png"> Here, used the default `Features` table. ### 2. Click `+` in the table `field header` to add an `attachment` field. <img width="1173" alt="image" src="https://us...
## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public
### Impact When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component. ### Attack requirements ### The following conditions have to be met in order to perform this attack: - An attacker needs to have access to the network traffic on the `api.form.io` domain. - The content of the `x-jwt-token` header is logged or otherwise available to the attacker. - An attacker needs to have network access to the Valtimo API. - An attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes. ### Patches Versions 10.8.4, 11.1.6 and 11.2.2 have been patched
### Introduction In Matrix, the server-side *key backup* stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's devices and provides a redundant copy in case all devices are lost. The key backup uses asymmetric cryptography, with each server-side key backup assigned a unique public-private key pair. ### Impact Due to a logic bug introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/2961/commits/71136e44c03c79f80d6d1a2446673bc4d53a2067, the matrix-sdk-crypto crate version 0.7.0 will sometimes log the private part of the backup key pair to Rust debug logs (using the `tracing` crate). ### Patches This issue has been resolved in matrix-sdk-crypto [version 0.7.1](https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1). ### Workarounds None. ### References - [crates.io release](https://crates.io/crates/matrix-sdk-crypto/0.7.1) ### For more information If you have any questions or comments about this adviso...
Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when: - resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field - viewing issues (view_all_bug_page.php) when the custom field is displayed as a column - printing issues (print_all_bug_page.php) when the custom field is displayed as a column ### Impact Cross-site scripting (XSS). ### Patches https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be ### Workarounds Ensure Custom Field Names do not contain HTML tags. ### References - https://mantisbt.org/bugs/view.php?id=34432 - This is related to CVE-2020-25830 (same root cause, different affected pages)
By Cyber Newswire London, United Kingdom, May 13th, 2024, CyberNewsWire Logicalis, the global technology service provider delivering next-generation digital managed services,… This is a post from HackRead.com Read the original post: Logicalis enhances global security services with the launch of Intelligent Security
If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the link, link label, and tooltip. ### Impact Disclosure of the following information: - existence of the note - note author name - note creation timestamp - issue id the note belongs to ### Patches See PR https://github.com/mantisbt/mantisbt/pull/2000 ### Workarounds None ### References https://mantisbt.org/bugs/view.php?id=34434
Tuesday’s verdict in the trial of Alexey Pertsev, a creator of crypto-privacy service Tornado Cash, is the first in a string of cases that could make it much harder to skirt financial surveillance.
## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenizers,` and `hardware settings`, `__init__` also loads the `chat template` from targeted `.gguf` 's Metadata and furtherly parses it to `llama_chat_format.Jinja2ChatFormatter.to_chat_handler()` to construct the `self.chat_handler` for this model. Nevertheless, `Jinja2ChatFormatter` parse the `chat template` within the Metadate with sandbox-less `jinja2.Environment`, which is furthermore rendered in `__call__` to construct the `prompt` of interaction. This allows `jinja2` Server Side Template Injection which leads to RCE by a carefully constructed payload. ## Source-to-Sink ### `llama.py` -> `class Llama` -> `__init__`: ```python class Llama: """High-level Python wrapper for a ...
### Impact This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service. ### Patches This vulnerability existed in the repository at HEAD, we will cut a 0.1.0 release with the fix. ### Workarounds None ### References None