Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-hrmx-8jjv-g758: Navidrome uses MD5 hashing algorithm

Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

ghsa
Open in Source
#git
GHSA-3cpf-jmmc-8jm3: Concrete CMS vulnerable to Stored Cross-site Scripting

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

'Sitting Ducks' Attacks Create Hijacking Threat for Domain Name Owners

Researchers say the attacks are easy to perform, difficult to contact, nearly unrecognizable, and "entirely preventable."

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

GHSA-67fw-w8f2-88wp: casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the `ssh.InsecureIgnoreHostKey()` method.

GHSA-vw7g-3cc7-7rmh: cortex establishes TLS connections with `InsecureSkipVerify` set to `true`

A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.

There is no real fix to the security issues recently found in GitHub and other similar software

The lesson for users, especially if you’re a private company that primarily uses GitHub, is just to understand the inherent dangers of using open-source software.

GHSA-vg67-chm7-8m3j: Mattermost allows remote actor to create/update/delete posts in arbitrary channels

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels

GHSA-vg6q-84p8-qvqh: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.

GHSA-762m-4cx6-6mf4: Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling

Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.