#git

### Impact Users with access to backend forms that include a [ColorPicker FormWidget](https://wintercms.com/docs/v1.2/docs/backend/forms#color-picker) can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. By default, only the Brand Settings (`backend.manage_branding`) and Mail Brand Settings (`system.manage_mail_templates`) forms include the `colorpicker` formwidget, however it is also common for theme's to include it on their Theme Customization (`cms.manage_theme_options`) form. Although this was a security issue, it's important to note that its severity is relatively low. To exploit the vulnerability, an attacker would already need to have trusted access to the Winter CMS backend and they would then need to convince a user with higher privileges than them to visit an affected Form in the backend. These two factors limit the potential harm of this vulnerability. That being said, all users are advised to update ...

### Impact Users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. Although this was a security issue, it's important to note that its severity is low. To exploit the vulnerability, an attacker would already need to have trusted permissions in the Winter CMS backend. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an img tag, which prevents any payloads from being executed directly. These two factors significantly l...

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

### Summary The function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. ```go // lookupPreprocess applies transformations to s so that it can be compared // to search for something. // For example, it is used by (ThemeStore).Lookup func lookupPreprocess(s string) string { return strings.ToLower(norm.NFKD.String(regexp.MustCompile(`[-_ .]`).ReplaceAllString(s, ""))) } ``` Take the following equivalent Unicode character U+2024 (․). Initially, the `lookupPreprocess()` function would compile the regex and replace the regular dot (.). However, the U+2024 (․) would bypass the `ReplaceAllString()`. When the normalization operation is applied to U+2024 (․), the resulting character will be U+002E (.). Thus, the dot was reintroduced back. ### Impact The...

### Impact When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. ### Patches The fix is available in v1.10.1 ### Workarounds Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue. ### References

### Impact In ActiveAdmin versions prior to 3.2.0, maliciously crafted spreadsheet formulas could be uploaded as part of admin data that, when exported to a CSV file and the imported to a spreadsheet program like libreoffice, could lead to remote code execution and private data exfiltration. The attacker would need privileges to upload data to the same ActiveAdmin application as the victim, and would need the victim to possibly ignore security warnings from their spreadsheet program. ### Patches Versions 3.2.0 and above fixed the problem by escaping any data starting with `=` and other characters used by spreadsheet programs. ### Workarounds Only turn on formula evaluation in spreadsheet programs when importing CSV after explicitly reviewing the file. ### References https://owasp.org/www-community/attacks/CSV_Injection https://github.com/activeadmin/activeadmin/pull/8167

### Impact Denial of Service, Applications that allow the use of the PBKDF2 algorithm. ### Patches A [patch](https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8) is available that sets the maximum number of default rounds. ### Workarounds Applications that do not need to use PBKDF2 should simply specify the algorithms use and exclude it from the list. Applications that need to use the algorithm should upgrade to the new version that allows to set a maximum rounds number. ### Acknowledgement The issues was reported by Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab

Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.

By Waqas Big Tech vs. Big Brother: Apple Defies India Pressure over iPhone Hacking Alerts. This is a post from HackRead.com Read the original post: Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India

From Sam Altman and Elon Musk to ransomware gangs and state-backed hackers, these are the individuals and groups that spent this year disrupting the world we know it.