#git

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. ### Impact Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Patches Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] ### Details `server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picoma...

A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine.

### Impact Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. ### Patches This is patched in 0.2.17+, 0.3.8+, 0.4.4+, 0.5.6+ ### Workarounds None. ### References CWE-73: External Control of File Name or Path ### Original report I have found a local file inclusion vulnerability in one of your subprojects, voila (https://github.com/voila-dashboards/voila). The vulnerability exists in the "/static" Route, and can be exploited by simply making a request such as this: ``` $ curl localhost:8866/static/etc/passwd ``` ...or by using a webbrowser to download the file. I dug into the source code, and I think the offending line is here: https://github.com/voila-dashboards/voila/blob/8419cc7d79c0bb1dabfbd9ec49cb957740609d4d/voi...

By Waqas The leaked data was previously being sold by the IntelBroker hacker for just $3,000 in Monero (XMR) cryptocurrency. This is a post from HackRead.com Read the original post: IntelBroker Leaks Alleged National Security Data Tied to US Contractor Acuity Inc.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

DLL Proxy Loading is a technique which an arbitrary DLL exports the same functions as the legitimate DLL and forwards the calls to the legitimate… Continue reading → Persistence – DLL Proxy Loading

Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php.

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.