Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Domain Escalation – Backup Operator

The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically,… Continue reading → Domain Escalation – Backup Operator

Pentestlab
Open in Source
#ios#mac#windows#git#c++#samba#auth
FTC Bans InMarket for Selling Precise User Location Without Consent

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data. The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes. "InMarket will also be prohibited from

GHSA-jgxc-8mwq-9xqw: Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

GHSA-g7ph-8423-pf4j: Code execution in metagpt

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen.

GHSA-2jxw-4hm4-6w87: SQL injection in llama-index

LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.

Evolution of AI Assistants: Navigating Breakthroughs in Software Development

By Owais Sultan We are now at the age of advanced AI assistants. This unique software significantly simplifies our everyday tasks,… This is a post from HackRead.com Read the original post: Evolution of AI Assistants: Navigating Breakthroughs in Software Development

GHSA-r67w-f99w-mgxj: ReDoS in Embedchain

The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.

GHSA-297x-2qf3-jrj3: Unsafe yaml deserialization in llama-hub

The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.

GHSA-rhhj-5436-95vf: Code execution in Embedchain

The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.

GHSA-fh38-9fgr-454w: Cross-site Scripting in Ghost

Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.