#git

Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator.

The Tree Explorer tool from Organizer in Zenario before 9.5.60602 is affected by XSS. (This component was removed in 9.5.60602.)

By Waqas A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark This is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw

### Summary An unsafe sanitization of dataset contents on the `MarkovData#getNext` method used in `Markov#generate` and `Markov#choose` allows a maliciously crafted string on the dataset to throw and stop the function from running properly. ### Details https://github.com/xiboon/kurwov/blob/0d58dfa42135ab40e830e92622857282f980ca89/src/MarkovData.ts#L38-L44 If a string contains a forbidden substring (i.e. `__proto__`) followed by a space character, the second line will access a special property in `MarkovData#finalData` by removing the last character of the string, bypassing the dataset sanitization (as it is supposed to be already sanitized before this function is called). `data` is then defined as the special function found in its prototype instead of an array. On the last line, `data` is then indexed by a random number, which is supposed to return a string but returns undefined as it's a function. Calling `endsWith` then throws. ### PoC https://runkit.com/embed/m6uu40r5ja9b ### ...

### Impact An authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. ### Workarounds Enabling the `api.disable_remote_download` option or updating to the latest version of Wings are the only known workarounds. ### Patches https://github.com/pterodactyl/wings/commit/c152e36101aba45d8868a9a0eeb890995e8934b8

### Impact Importing a malicious egg or gaining access to wings instance could lead to XSS on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: - Egg Docker images - Egg variables: - Name - Environment variable - Default value - Description - Validation rules Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact. To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user. ### Workarounds No workaround is available other than updating to the latest version of the panel. ### Patches All of the following commits are required to resolve this security issue: https://github.com/pterodactyl/panel/commit/1172d71d31561c4e465dabdf6b838e64de48ad16 https://github.com/pterodactyl/panel/commit/f671046947e4695b5e1c647df79305c1cefdf817 https://github.com/pteroda...

### Impact If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. ### Workarounds Enabling the `ignore_panel_config_updates` option or updating to the latest version of Wings are the only known workarounds. ### Patches https://github.com/pterodactyl/wings/commit/5415f8ae07f533623bd8169836dd7e0b933964de

### Impact The capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for potentially unsafe Operating System (OS) Command Injection if inappropriate command is passed as the “requirements_path” parameter. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. Impacted versions: <2.214.3 ### Credit We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process. ### Workarounds Do not override the “requirements_path” parameter of capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils`, instead use the default value. ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. ...

### Impact sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both confidentiality and integrity. Impacted versions: <2.218.0. ### Credit We would like to thank HiddenLayer for collaborating on this issue through the coordinated vulnerability disclosure process. ### Workarounds Do not pass pickled numpy object arrays which originated from an untrusted source, or that could have been tampered with. Only pass pickled numpy object arrays from sources you trust. ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue. [1] Vu...

Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a feature flag while vodozemac disabled the default feature set. ### Impact The degraded zeroization capabilities could result in the production of more memory copies of encryption secrets and secrets could linger in memory longer than necessary. This marginally increases the risk of sensitive data exposure. Overall, we consider the impact of this issue to be low. Although cryptographic best practices recommend the clearing of sensitive information from memory once it's no longer needed, the inherent limitations of Rust regarding absolute zeroization reduce the practical severity of this lapse. ### Patches The patch is in commit https://github.com/matrix-org/vodozemac/pull/130/commits/297548cad4016ce448c4b5007c54db7ee39489d9. ### Workarounds None. ### For more information...