Tag
#git
### Impact A `__proto__` pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. ### Summary A `__proto__` pollution vulnerability exists in the [LiteralMap] transformer allowing crafted input to modify properties in the Object prototype. When executing in Node.js, due to use of the `prettier` module, defining a `parser` property on `__proto__` with a path to a JS module on disk [causes a `require` of the value][prettier/src/main/parser.js] which can lead to arbitrary code execution. ### Patch A fix has been released in `[email protected]`. ### Mitigation - Upgrade synchrony to v2.4.4 - Launch node with the [--disable-proto=delete][disable-proto] or [--disable-proto=throw][disable-proto] flag ### Proof of Concept Craft a malicious input file named `poc.js` as follows: ```js // Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console. console.log(req...
## Overview OpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive. ## Fix Upgrade to v1.3.4. This upgrade is backwards compatible.
### Impact The vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. Further details are available in the references. ### Fixed Version * `1.3.3` ### References The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.
### Impact The vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. Further details are available in the references. ### Fixed Version * `1.3.3` ### References The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.
An issue in WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 allows unauthenticated attackers to login as any user without a password.
WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 fails to validate user sessions, allowing unauthenticated attackers to read files from the underlying operating system and obtain directory listings.
### Impact The vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. Further details are available in the references. ### Fixed Version * `1.3.3` ### References The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.
The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.
Categories: Threat Intelligence Tags: malvertising Tags: keepass Tags: punycode Tags: malware Tags: ads Tags: google Threat actors are doubling down on brand impersonation by using lookalike domain names. (Read more...) The post Clever malvertising attack uses Punycode to look like KeePass's official website appeared first on Malwarebytes Labs.
### Impact The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. Further details are available in the references. ### Fixed Version * `1.3.3` ### References The issue was reported by Nozomi Networks Labs. Further details on the issue will soon be published and this advisory updated.