#git

Before version 3.7 the bundle is vulnerable to a [security issue in JWT](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/), which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication.

### Impact When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. ### Patches Updating to v10.9.0 will solve this. ### Workarounds None ### References Publicly reported at: https://github.com/fastify/session/issues/251

### Summary By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment. It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of the app preview. This could lead to an information leak. The fact that the cache in Redis is neither signed nor validated, co...

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication. "On instances that use SAML single sign-on (SSO) authentication with the

### Impact When storing unbounded types in a `BTreeMap`, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a memory leak. In the worst case, depending on how a canister uses the `BTreeMap`, an adversary could interact with the canister through its API and trigger interactions with the map that keep consuming memory due to the memory leak. This could potentially lead to using an excessive amount of memory, or even running out of memory. This issue has been fixed in #212 by changing the logic for deallocating nodes to ensure that all of a node's memory chunks are deallocated. Tests have been added to prevent regressions of this nature moving forward. **Note:** Users of stable-structure < 0.6.0 are not affected. ### Patches The problem has been fixed in PR #212 and users are asked to upg...

### Impact Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. ### Affected versions Umbraco CMS >= 8.00 ### Patches This is fixed in 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer

### Impact This CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally. For example, the malicious owners of [www.dontvisitme.com](http://www.dontvisitme.com/) could put a script on their website that uploads a large file to http://localhost:7860/upload and anyone who visits their website and has a Gradio app will now have that large file uploaded on their computer ### Patches Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher. Fixed in: https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1727

### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery's own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins. [^1]: https://learn.jquery.com/ajax/working-with-jsonp/ ### Impact OMERO.web before 5.25.0 ### Patches Users should upgrade to 5.26.0 or higher ### Workarounds None ### References * https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call * https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names For more information If you have any questions or comments about this advisory: Open an issue in [omero-web](https://github.com/ome/omero-web) Email us a...

### Impact Umbraco have an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice, before the vulnerability is exposed. ### Affected Version \>= 8.18.5, >= 10.5.0, >= 12.0.0, >= 13.0.0 ### Patches 8.18.14, 10.8.6, 12.3.10, 13.3.1

A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads. "The VBScript and PowerShell scripts in the CLOUD#REVERSER inherently involves command-and-control-like activities by using Google Drive and Dropbox as staging platforms to manage file uploads and downloads," Securonix