Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-w387-5qqw-7g8m: Content-Security-Policy header generation in middleware could be compromised by malicious injections

### Impact When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves content that can be partially controlled by external users Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. ### Patches Available in version 1.3.0 . ### Workarounds - Do not enable CSP headers generation. - Use it only for dynamically generated content that cannot be controlled by external users in any way. ### References _Are there any links users can visit to find out more?_

ghsa
Open in Source
#vulnerability#web#nodejs#js#git
GHSA-8r5j-gm3j-cx9c: Winter CMS Server-Side Template Injection (SSTI) vulnerability

Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components.

GHSA-73v2-rxqp-7q4f: aliyundrive-webdav vulnerable to Command Injection

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the `action_query_qrcode` component.

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

FoF Pretty Mail 1.1.2 Local File Inclusion

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

FoF Pretty Mail 1.1.2 Server-Side Template Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a server-side template injection vulnerability.

FoF Pretty Mail 1.1.2 Command Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

Red Hat Security Advisory 2024-1570-03

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

MFA bombing taken to the next level

Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

GHSA-39fp-mqmm-gxj6: CodeIgniter4 DoS Vulnerability

### Impact A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. ### Patches Upgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html). ### Workarounds - Disabling Auto Routing prevents a known attack vector in the framework. - Do not pass invalid values to the `lang()` function or `Language` class. ### References - https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization - https://codeigniter4.github.io/userguide/general/common_functions.html#lang