#git

Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.

Solar FTP Server version 2.1.2 remote denial of service exploit.

Red Hat Security Advisory 2024-0322-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a local file inclusion vulnerability.

### Impact All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including: - `Circuit.comments` - `Cluster.comments` - `CustomField.description` - `Device.comments` - `DeviceRedundancyGroup.comments` - `DeviceType.comments` - `Job.description` - `JobLogEntry.message` - `Location.comments` - `Note.note` - `PowerFeed.comments` - `Provider.noc_contact` - `Provider.admin_contact` - `Provider.comments` - `ProviderNetwork.comments` - `Rack.comments` - `Tenant.comments` - `VirtualMachine.comments` - Contents of any custom fields of type `markdown` - Job class `description` attributes - The `SUPPORT_MESSAGE` system configuration setting are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. ### Patches Fixed in Nautobot versions 1.6.10 and 2.1.2. ### References https://github.com/nautobot/nautobot/pull/5133 https://git...

An incomplete fix was found in Keycloak Core patch. An attacker can steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt". It is observed that changing the response_mode parameter in the original proof of concept from "form_post" to "form_post.jwt" can bypass the security patch implemented to address CVE-2023-6134.

Affected versions can run the `Drop` impl of a non-Send type on a different thread than it was created on. The flaw occurs when a stderr write performed by the `threadalone` crate fails, for example because stderr is redirected to a location on a filesystem that is full, or because stderr is a pipe that has been closed by the reader. Dropping a non-Send type on the wrong thread is unsound. If used with a type such as a pthread-based `MutexGuard`, [the consequence is undefined behavior][mutexguard]. If used with `Rc`, there would be a data race on the reference count, which is likewise undefined behavior. [mutexguard]: https://github.com/rust-lang/rust/issues/23465#issuecomment-82730326

### Impact Utility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes. ### Patches The `get`, `set` and `update` functions will throw a `TypeError` when a user attempts to access or alter inherited properties in versions >=2.2.1.

### Impact Since v1.3.0, we use our own Request object. This is great, but the `url` behavior is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. ```ts const req = new Request('http://localhost/static/../foo.txt') // Web-standards console.log(req.url) // http://localhost/foo.txt ``` However, the `url` in our Request does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. ```ts const req = new Request('http://localhost/static/../foo.txt') console.log(req.url) // http://localhost/static/../foo.txt ``` It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using `serveStatic`. Note: Modern web browsers and a latest `curl` command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them. ### Patches "v1...

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said,

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm