Security
Headlines
HeadlinesLatestCVEs

Tag

#git

London NHS Crippled by Ransomware, Several Hospitals Targeted edit

London hospitals crippled by cyberattack! This incident highlights the growing threat of ransomware on healthcare systems worldwide. London’s…

HackRead
Open in Source
#vulnerability#git
GHSA-277c-5vvj-9pwx: Flooding Server with Thumbnail files

# Details ## 1. All Imagick supported Fileformats are served without filtering The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize than the original. For example we can create a .txt file for all thumbnails, and we get the text representation of the image. We can demonstrate that with the pimcore demo: This Thumbnail is found on the Frontend: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.avif (12kb Filesize) We can generate a text representation by simply changing the file extension: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.txt (4.59mb Filesize) Other (large) fileformats we tested: ftxt, dip, bmp, bmp3, bmp2, farbfeld, cmyk, cmyka, ycbcr, ycbcra and many more (just check imagemagic...

GHSA-9p6p-8v9r-8c9m: javascript-deobfuscator crafted payload can lead to code execution

javascript-deobfuscator removes common JavaScript obfuscation techniques. Crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0.

GHSA-pmxp-7224-h794: Denial of Service (DoS) attack possibility in TYPO3 component Indexed Search

Due to an oversized maximum result limit, TYPO3 component Indexed Search is susceptible to a Denial of Service attack.

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

GHSA-wrpf-2x8h-82gr: Typo3 Arbitrary File Disclosure in Form Component

Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload fields.

GHSA-8j9v-4hhh-x43c: Cross-Site Scripting (XSS) in TYPO3 component CSS styled content

Failing to properly encode user input, the CSS styled content component is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

GHSA-qffc-gwpp-m2xr: XML External Entity (XXE) Processing in TYPO3 Core

All XML processing within the TYPO3 CMS are vulnerable to XEE processing. This can lead to load internal and/or external (file) content within an XML structure. Furthermore it is possible to inject arbitrary files for an XML Denial of Service attack. For more information on that topic see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing.

GHSA-3jxq-5xhh-9jr3: Cross-Site Scripting (XSS) in TYPO3 component Backend

Failing to properly encode incoming data, the bookmark toolbar is susceptible to Cross-Site Scripting.

Red Hat Security Advisory 2024-3570-03

Red Hat Security Advisory 2024-3570-03 - A new image is available for Red Hat Single Sign-On 7.6.9, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.