#git

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in render-document.php.

Seo Panel version 4.7.0 suffers from a cross site scripting vulnerability.

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.

Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.

A remote code execution vulnerability in Gibbon online school platform version 26.0.00 and lower allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the endpoint /modules/System%20Admin/import_run.php&type=externalAssessment&step=4. As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands, potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.

**Name**: ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks **Component**: ibc-go **Criticality**: Critical ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Critical; L:AlmostCertain) **Affected versions**: < v4.6.0, < v5.4.0, < v6.3.0, < v7.4.0, < v8.2.0 **Affected users**: Chain Builders + Maintainers # Summary Through the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same `MsgTimeout` inside the IBC hook for the `OnTimeout` callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the `OnTimeout` callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens. # Affected Configurations Chains which satisfy all of the fo...

**Summary** The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. **Details** Vulnerable endpoint: POST /files **PoC** 1. Create a file distribution. <img width="1434" alt="Снимок экрана 2024-03-17 в 21 27 30" src="https://github.com/psi-4ward/psitransfer/assets/163760990/4634a6f7-6e7d-486e-9929-76156aaa1340"> 2. Go to the link address (id of the file distribution is needed by an attacker to upload files there). <img width="1426" alt="Снимок экрана 2024-03-17 в 21 27 35" src="https://github.com/psi-4ward/psitransfer/assets/163760990/a57c910c-69e2-4b07-985d-b0a46c69891a"> 3. Send a POST /files. As the value of the Upload-Metadata header we specify the sid parameter with the id of the file distribution obtained in the second step. In the response from the server in the Location header we get the path for uploading a new file to the file distribution. <i...

By Uzair Amir The partnership will bring millions of players into the Immutable web3 ecosystem while providing GAM3S.GG with the leading web3 gaming platform on the market. This is a post from HackRead.com Read the original post: GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading to version 0.7.0 of libdav1d-sys, which includes dav1d 1.4.0.