Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Package**

composer symfony/symfony (Composer)

**Affected versions**

\>=2.0.0,<4.4.51

\>=5.0.0,<5.4.31

\>=6.0.0,<6.3.8

**Patched versions**

4.4.51

5.4.31

4.4.51

\>=2.0.0,<4.4.51

\>=5.0.0,<5.4.31

\>=6.0.0,<6.3.8

**Description**

**Description**

Some Twig filters in CodeExtension use "is\_safe=html" but don't actually ensure their input is safe.

**Resolution**

Symfony now escapes the output of the affected filters.

The patch for this issue is available here for branch 4.4.

**Credits**

We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Package**

composer symfony/symfony (Composer)

**Affected versions**

\>=6.3.0, <6.3.8

**Description**

**Description**

The error message in WebhookController returns unescaped user-submitted input.

**Resolution**

WebhookController now doesn't return any user-submitted input in its response.

The patch for this issue is available here for branch 6.3.

**Credits**

We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.

CVE-2023-46735: Potential XSS in WebhookController

Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

**Screenshots****Description**

 Hoteldruid is a free and open source program for hotel management (property management software) developed by DigitalDruid.Net. Thanks to the great flexibility of its _web interface_ it can satisfy a wide range of demands, from bed & breakfasts or vacation rentals with few apartments to hotels with hundreds of rooms. Its main features are:  

*   Web-based with access from any connected device.
*   Configurable number and characteristics of rooms, periods, rates, etc.
*   Automatic assignment of the rooms with user defined rules. Details ->
*   Extra costs, special offers and restrictions can be added to the rates. Details ->
*   Customized documents for receipts, invoices, emails, forms, etc. Details ->
*   Multi-user with privileges system. Details ->
*   Point of sale (POS) for bars and restaurants with inventory management. Details ->
*   Comparative statistics about occupancy and revenues. Details ->
*   Creation of pages to check availability from a website. Details ->
*   Released under the AGPL free software license (free and modifiable).
*   Proprietary modules (available on our hosting) for booking engine and channel manager.
*   And also: group bookings, backup system, calendar with drag & drop, etc.
*   In English, Italian and Spanish plus modules for other languages.

 You can start using hoteldruid instantly by activating its hosting service. On the hosting service you will find already pre-installed the hoteldruid add-on modules that, once integrated with your website, enable you to collect reservations from Internet without additional commissions and synchronizing with your accounts on Booking.com, Expedia.com and other channels.

**Demo**

You can try an on line DEMO:

normal user with all the privileges

administrator user (_not configured_)

page to book from a website (_module_)

page to check availability from a website

page to complete a reservation from a website (_module_)

page with the website availability calendar

  
**Latest Release**

 **HotelDruid version 3.0.6** (November 3, 2023). What's new: possibility to copy existing or deleted reservations, fixed security bugs.

CVE-2023-47164: HotelDruid: Hotel Management Software

Small platforms without resources to handle takedown requests have been weaponized by terrorist groups that share their content online. A free new tool is coming to help clean house.

Terrorist groups have found a home on smaller, less well-known online platforms in recent years where they store, share, and link to content such as violent beheading videos and recruitment propaganda.

Those platforms have struggled to deal with the problem due to a lack of resources and expertise, but a new tool being built by a Google subsidiary in collaboration with a terror-tracking NGO is seeking to solve that problem.

Launched in Paris on Friday, Altitude is a free tool built by Jigsaw—a unit within Google that tracks violent extremism, misinformation, and repressive censorship—and Tech Against Terrorism, a group that seeks to disrupt terrorists’ online activity. The tool aims to give smaller platforms the ability to easily and efficiently detect terrorist content on their networks and remove it.

The project is also working with the Global Internet Forum to Counter Terrorism, which is an industry-led group founded in 2017 by Facebook, Microsoft, Twitter, and YouTube that hosts a shared database of image hashes—a kind of digital fingerprint—of terrorist content.

After years of missteps and failing to deal with the problem of removing terrorist content from their networks, big tech platforms like Facebook, Google, and X (formerly Twitter) have—with the help of dedicated NGOs and law enforcement—largely removed this content from their networks, with the notable exception of Telegram. As a result, terrorists have moved to less regulated and under-resourced platforms where their presence either goes unnoticed or cannot be dealt with because the companies involved simply don’t have the resources to cope with a flood of takedown requests.

“Islamic State and other terrorist groups didn't give up on the internet just because they no longer had the megaphone of their social media platforms. They went elsewhere,” Yasmin Green, the CEO of Jigsaw, tells WIRED. “They found this opportunity to host content on file-hosting sites or other websites, small and medium platforms. Those platforms were not welcoming terrorist content, but they still were hosting it—and actually, quite a lot of it.”

While there are some tools on the market that work in a similar way to Altitude, they are prohibitively expensive for a lot of smaller companies. Experts like Green believe that tools like this need to be open source and free of charge.

The new tool can be integrated straight into the backend of whatever platform it is working with. It then connects to Tech Against Terrorism’s own Terrorist Content Analytics Platform, which centralizes the collection of content that has been created by officially designated terrorist organizations. The database allows all the platforms using Altitude to easily check whether a piece of content has been verified as terrorist content.

Altitude will also provide context about the terrorist groups the content is associated with, other examples of this type of material, information on what other platforms have done with the material, and, eventually, even information pertaining to the relevant laws in a particular country or region.

“We are not here to tell platforms what to do but rather to furnish them with all the information that they need to make the moderation decision," Adam Hadley, executive director of Tech Against Terrorism, tells WIRED. “We want to improve the quality of response. This isn’t about the volume of material removed but ensuring that the very worst material is removed in a way that is supporting the rule of law.”

Tech Against Terrorism works with more than 100 platforms, almost all of which don’t want to be named because of the negative impact on their business of being linked to terrorist content. The type of companies that Tech Against Terrorism works with include pastebins, messaging apps, video-sharing platforms, social media networks, and forums.

For many of these smaller platforms, dealing with takedown requests from governments, civil society organizations, law enforcement, and the platform's own users can be overwhelming and result in companies going to one extreme or the other.

“Platforms can become easily overwhelmed by the takedown requests, and they either ignore them all or they take everything down,” Hadley says. “What we're looking for is to try to create an environment where platforms have the tools to be able to properly assess whether they should remove material or not, because it's imperative to take down terror content, but it's also really important that they're not just removing any content because of concerns about freedom of expression.”

The Israel-Hamas war has shown what an important role Telegram continues to play in allowing terrorist groups to spread their messages. While efforts to hold Telegram to account have had limited success in recent weeks, terror content remains accessible, and it is from here that the content is quickly shared on a multitude of other platforms. And this is where the Altitude tool can make a difference, according to Hadley.

“Ideally, the content wouldn’t be put up on Telegram in the first place,” Hadley says. “But given that it is, the next best thing we can do is make sure that other platforms that are being co-opted into this by terrorists are aware of this activity and have the right information to take down the material in an appropriate fashion.”

This New Tool Aims to Keep Terrorism Content Off the Internet

Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed Kamran.
The campaign, ESET has discovered, leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its

Privacy / Cyber Espionage

Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed **Kamran**.

The campaign, ESET has discovered, leverages Hunza News (urdu.hunzanews\[.\]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website.

The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when massive protests were held in the region over land rights, taxation, and extensive power cuts.

The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices.

This includes contacts, call logs, calendar events, location information, files, SMS messages, photos, list of installed apps, and device metadata. The collected data is subsequently uploaded to a command-and-control (C2) server hosted on Firebase.

Kamran lacks remote control capabilities and is also simplistic by design, carrying out its exfiltration activities only when the victim opens the app and lacking in provisions to keep track of the data that has already been transmitted.

This means that it repeatedly sends the same information, along with any new data meeting its search criteria, to the C2 server. Kamran has yet to be attributed to any known threat actor or group.

"As this malicious app has never been offered through the Google Play store and is downloaded from an unidentified source referred to as unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources," security researcher Lukáš Štefanko said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Stealthy Kamran Spyware Targeting Urdu-speaking Users in Gilgit-Baltistan

Improper Input Validation in GitHub repository froxlor/froxlor prior to 2.1.0-beta1.

**Froxlor Improper Input Validation vulnerability**

Critical severity GitHub Reviewed Published Nov 10, 2023 to the GitHub Advisory Database • Updated Nov 12, 2023

GHSA-4jch-8qq5-hqg6: Froxlor Improper Input Validation vulnerability

By Waqas
Important to understand: Chess.com has not suffered a data breach.
This is a post from HackRead.com Read the original post: Hacker Leaks 800,000 Scraped Chess.com User Records

The scraped Chess.com data was leaked on Breach Forums on November 8th, 2023 by a threat actor operating under the alias ‘DrOne.’

A threat actor operating under the alias ‘DrOne’ has claimed responsibility for leaking the scraped database of Chess.com containing the personal data of more than 800,000 registered users.

Announcement on the Breach Forums (Screenshot credit: Hackread.com)

Chess.com is a highly popular online platform for chess enthusiasts and a social networking website. As of 2023, the platform boasts more than 150 million registered users, indicating that the leaked records account for approximately only 0.533% of the total user base.

The database was disclosed on November 8th, 2023 on Breach Forums, a well-known platform for hackers and cybercrime activities. Interestingly, this forum recently saw another threat actor leaking a **scraped database from LinkedIn** just a couple of days prior, which contained information from 25 million users.

****The Leaked Data****

After a comprehensive scan of the Chess.com database by Hackread.com, our analysis confirms the exposure of personal data from 828,327 registered users. The leaked information includes:

*   Full names
*   Usernames
*   Profile links
*   Email addresses
*   Users’ originating countries
*   Avatar URLs (containing profile pictures)
*   Universally Unique Identifier (UUID) and User IDs
*   Date of registration (with the most recent sign-up in September 2023)

If combined, the leaked information can serve as a treasure trove for cybercriminals. This data could be utilized for identity theft, phishing scams, social engineering attacks, or even to cross-reference previously leaked login credentials in order to obtain passwords.

Announcement from the leaked Chess.com data – Clicking on links would open the user profile and profile images (Screenshot credit: Hackread.com)

Fortunately, the leaked data does not include passwords. However, when Hackread.com attempted to sign up using the leaked email addresses, nearly every email address used prompted the message **_‘An account already exists with this email address.’_** This suggests that the leaked database contained valid and active email addresses associated with existing Chess.com accounts.

(Screenshot credit: Hackread.com)

****Web Scraping is Hard to Avoid/Block****

Web scraping or data scraping, is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages. The process is almost impossible to block since Chess.com is a large website.

Large websites use a variety of measures to prevent scraping, such as rate limiting and captcha challenges. However, scrapers are constantly developing new techniques to circumvent these measures and some scrapers may collect the data for research purposes, such as to study social networks or to develop machine learning models.

****Chess.com and Cybersecurity****

This is not the first time Chess.com has made headlines for cybersecurity-related issues. **In February 2021**, a well-known ethical hacker, Sam Curry, discovered and reported a critical vulnerability within the platform. This flaw allowed the researcher to potentially access any account on the site, including the administrator account.

This new breach poses a significant threat to Chess.com users, potentially facilitating various scams such as identity theft and phishing. For Chess.com users, it is strongly recommended to change your password not only on the platform but also across any other online accounts where the same password is used.

Cybercriminals might deploy **phishing tactics**, sending emails with links leading to malicious websites mimicking Chess.com or other legitimate platforms. It is crucial to refrain from clicking on any such links. However, you can safely check the real URL by hovering over the link before clicking it.

_Hackread.com has informed Chess.com about the data leak. This article will be updated if the company responds._

****_RELATED ARTICLES_****

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Scraped data of 1.3 million Clubhouse users published online**
3.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
4.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 800,000 Scraped Chess.com User Records

Improper Input Validation in GitHub repository froxlor/froxlor prior to 2.1.0.

CVE-2023-6069

Experts are finding thousands of examples of AI-created content every week that could allow terrorist groups and other violent extremists to bypass automated detection systems.

Extremist groups have begun to experiment with artificial intelligence, and in particular generative AI, in order to create a flood of new propaganda. Experts now fear the growing use of generative AI tools by these groups will overturn the work Big Tech has done in recent years to keep their content off the internet.

“Our biggest concern is that if terrorists start using gen AI to manipulate imagery at scale, this could well destroy hash-sharing as a solution,” Adam Hadley, the executive director of Tech Against Terrorism, tells WIRED. “This is a massive risk.”

For years, Big Tech platforms have worked hard to create databases of known violent extremist content, known as hashing databases, which are shared across platforms to quickly and automatically remove such content from the internet. But according to Hadley, his colleagues are now picking up around 5,000 examples of AI-generated content each week. This includes images shared in recent weeks by groups linked to Hezbollah and Hamas that appear designed to influence the narrative around the Israel-Hamas war.

“Give it six months or so, the possibility that \[they\] are manipulating imagery to break hashing is really concerning,” Hadley says. “The tech sector has done so well to build automated technology, terrorists could well start using gen AI to evade what's already been done.”

Other examples that researchers at Tech Against Terrorism have uncovered in recent months have included a neo-Nazi messaging channel sharing AI-generated imagery created using racist and antisemitic prompts pasted into an app available on the Google Play store; far-right figures producing a “guide to memetic warfare” advising others on how to use AI-generated image tools to create extremist memes; the Islamic State publishing a tech support guide on how to securely use generative AI tools; a pro-IS user of an archiving service claiming to have used an AI-based automatic speech recognition (ASR) system to transcribe Arabic language IS propaganda; and a pro-al-Qaeda outlet publishing several posters with images highly likely to have been created using a generative AI platform.

Beyond detailing the threat posed by generative AI tools that can tweak images, Tech Against Terrorism has published a new report citing other ways in which gen AI tools can be used to help extremist groups. These include the use of autotranslation tools that can quickly and easily convert propaganda into multiple languages, or the ability to create personalized messages at scale to facilitate recruitment efforts online. But Hadley believes that AI also provides an opportunity to get ahead of extremist groups and use the technology to preempt what they will use it for.

“We're going to partner with Microsoft to figure out if there are ways using our archive of material to create a sort of gen AI detection system in order to counter the emerging threat that gen AI will be used for terrorist content at scale,” Hadley says. “We're confident that gen AI can be used to defend against hostile uses of gen AI.”

The partnership was announced today, on the eve of the Christchurch Call Leaders’ Summit, a movement designed to eradicate terrorism and extremist content from the internet, to be held in Paris.

“The use of digital platforms to spread violent extremist content is an urgent issue with real-world consequences,” Brad Smith, vice chair and president at Microsoft said in a statement. “By combining Tech Against Terrorism’s capabilities with AI, we hope to help create a safer world both online and off.”

While companies like Microsoft, Google, and Facebook all have their own AI research divisions and are likely already deploying their own resources to combat this issue, the new initiative will ultimately aid those companies that can’t combat these efforts on their own.

“This will be particularly important for smaller platforms that don't have their own AI research centers,” Hadley says. “Even now, with the hashing databases, smaller platforms can just become overwhelmed by this content.”

The threat of AI generative content is not limited to extremist groups. Last month, the Internet Watch Foundation, a UK-based nonprofit that works to eradicate child exploitation content from the internet, published a report that detailed the growing presence of child sexual abuse material (CSAM) created by AI tools on the dark web.

The researchers found over 20,000 AI-generated images posted to one dark web CSAM forum over the course of just one month, with 11,108 of these images judged most likely to be criminal by the IWF researchers. As the IWF researchers wrote in their report, “These AI images can be so convincing that they are indistinguishable from real images.”

Here’s How Violent Extremists Are Exploiting Generative AI Tools

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.

No match.

Moodle official production repository

RSS Atom

Tag

#git