Tag
#git
### Description An administrator can craft a user with a malicious first name and last name, using a payload such as ``` <svg onload="confirm(document.domain)">'); ?></svg> ``` The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. ### Impact of issue An administrator could use this exploit to edit the setup start page for a given user, for example, trick the user into installing another extension. Even though the severity of this issue in itself is high, the likelihood is low because the exploit will be visible in clear by the user in the email notification, and also requires an action from a malicious administrator. ### Fix Sanitize the firstname and lastname in the page that is used to trigger the extension setup process. Additionally since v2.11 some default CSP are inserted in the server response headers to prevent inline-scripts or 3rd party domain scripts on pages served by the passbolt API. Th...
Passbolt provides a way for system administrators to generate a PGP key for the server during installation. The wizard requests a username, an e-mail address and an optional comment. No escaping or verification is done by Passbolt, effectively allowing a user to inject bash code. The impact is very high, but the probability is very low given that this vulnerability can only be exploited during Passbolt’s installation stage.
Passbolt uses three cookies: a session cookie, a CSRF protection cookie and a cookie to keep track of the multiple-factor authentication process. Both the session cookie and the mfa cookie are properly set HTTP-only to prevent an attacker from retrieving the content of those cookies if they managed to exploit an XSS. The /auth/verify.json endpoint returns a JSON that, among other things, contains the cookies sent in the request. (similar to the TRACE HTTP method) An attacker who manages to leverage an XSS vulnerability could retrieve the session cookies of a legitimate user, effectively granting them the ability to retrieve information (such as encrypted password list or group list) without requiring user interaction. This vulnerability has a low impact, but no immediate risk due to it requiring the exploitation of an XSS vulnerability that has yet to be found.
Passbolt sends e-mail to users to warn them about different type of events such as the creation, modification or deletion of a password. Those e-mails may contain user-specified input, such as a password’s title or description. Passbolt does not escape the user’s input properly, resulting in the user being able to inject HTML code in an e-mail. An authenticated attacker could share a password containing an img HTML tag in its description with an other user to obtain information about their mail user-agent. This vulnerability has a very low impact. Most MUA do not embed remote images to protect their users’ privacy.
### Summary Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack. ### References * [NO STARTTLS: Similar vulnerabilities discovered by previous researchers.](https://nostarttls.secvuln.info/)
### Impact Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. ### Patches This has been patched and users should upgrade to veraPDF v1.24.2 ### Workarounds This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. ### References Original issue: <https://github.com/veraPDF/veraPDF-library/issues/1415>
OroPlatform is prone to open redirection which could allow attackers to redirect users to external website.
OroCRM is prone to open redirection which could allow attackers to redirect users to external website.
By Waqas New Android Malware "Antidot" disguises itself as Google Update to steal banking info. Don't click suspicious update links! Download apps only from Google Play & keep software updated. This is a post from HackRead.com Read the original post: New Antidot Android Malware Poses as Google Update to Steal Funds
Having real-time protection is like having guards stationed all around your castle, ready to defend. Here's how it works.