#git

An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file.

In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization.

### Impact `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. ### References [ISSUE](https://github.com/ARPSyndicate/puncia/issues/8) [PATCH](https://github.com/ARPSyndicate/puncia/commit/033f3b68126eabbb2040ce16e2c3a2ce17437fbd#diff-3ec6c2de51e702726b23c452e3f4a899f6f4253af9fbf5be7254a5c1407ab526)

### Impact The server allow to create any user who can trigger a pipeline run malicious workflows: - Those workflows can either lead to a host takeover that runs the agent executing the workflow. - Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten. ### Patches https://github.com/woodpecker-ci/woodpecker/pull/3933 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ **Enable the "gated" repo feature and review each change upfront** ### References - https://github.com/woodpecker-ci/woodpecker/pull/3933 - https://github.com/woodpecker-ci/woodpecker-security/pull/11 - https://github.com/woodpecker-ci/woodpecker-security/issues/8 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924) - https://github.com/woodpecker-ci/woodpecker-security/issues/9 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924) - https://gi...

### Impact The server allow to create any user who can trigger a pipeline run malicious workflows: - Those workflows can either lead to a host takeover that runs the agent executing the workflow. - Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten. ### Patches https://github.com/woodpecker-ci/woodpecker/pull/3909 https://github.com/woodpecker-ci/woodpecker/pull/3934 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ **Enable the "gated" repo feature and review each change upfront of running** ### References - https://github.com/woodpecker-ci/woodpecker/pull/3909 - https://github.com/woodpecker-ci/woodpecker/pull/3934 - https://github.com/woodpecker-ci/woodpecker-security/issues/10 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3929) - https://github.com/woodpecker-ci/woodpecker/issues/3929 (info will be published later once we got adoptio...

An enormous IT outage across the world today is not the result of a cyberattack, but rather a faulty update from CrowdStrike.

The Identity Theft Resource Center has published a report showing a 1,170% increase in compromised data victims compared to the same quarter last year.

A defective CrowdStrike kernel driver sent computers around the globe into a reboot death spiral, taking down air travel, hospitals, banks, and more with it. Here’s how that’s possible.

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike's solution needs to be applied manually on a per-machine basis.

Red Hat Security Advisory 2024-4626-03 - An update is now available for Red Hat OpenShift GitOps v1.11.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a traversal vulnerability.