Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Wiz-Securonix Partnership Promises Unified Threat Detection

The collaboration focuses on helping security teams detect and address cloud threats more effectively.

DARKReading
#vulnerability#git#auth
Ex-Cybersecurity Adviser to Bush, Obama Weighs in On Current Admin

Melissa Hathaway, a former White House cybersecurity adviser, says Biden is pushing through more regulatory reforms than previous administrations.

GHSA-rvx8-p3xp-fj3p: October CMS stored XSS by authenticated backend user with improper configuration

### Impact A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the `svg` extension from the list of supported file types. ### Patches The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the **config/media.php** file. ``` 'clean_vectors' => true, ``` ### Workarounds If you cannot upgrade for this patch, follow the pervious advice and remove `svg` from the supported file types. ### References - https://github.com/octobercms/october/blob/3.x/config/media.php Credits to: - Faris Krivic - Okan Kurtulus ...

GHSA-gxhx-g4fq-49hj: CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

### Impact [CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb) has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened. ### Patches Upgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5) or [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5). ### Workarounds When validating with `allowlisted_content_type?` in [CarrierWave::Uploader::ContentTypeAllowlist](https:...

GHSA-p8q3-h652-65vx: October CMS safe mode bypass using Twig sandbox escape

### Impact An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having `cms.safe_mode` enabled. Still, it would be a problem for anyone relying on `cms.safe_mode` to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP. ### Patches This issue has been patched in v3.4.15. ### Workarounds As a workaround, remove the specified permissions from untrusted users. ### References Credits to: - [Vasiliy Bodrov](https://github.com/whatev3n) ### For more information If you have any questions or comments about this advisory: * Email us at [h...

GHSA-q22j-5r3g-9hmh: October CMS safe mode bypass using Page template injection

### Impact An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This is not a problem for anyone who trusts their users with those permissions to usually write & manage PHP within the CMS by not having `cms.safe_mode` enabled. Still, it would be a problem for anyone relying on `cms.safe_mode` to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP. ### Patches This issue has been patched in v3.4.15. ### Workarounds As a workaround, remove the specified permissions from untrusted users. ### References Credits to: - [Vasiliy Bodrov](https://github.com/whatev3n) ### For more information If you have any questions or comments about this advisory: * Email us at [hello@octobercms....

GHSA-8hc5-rmgf-qx6p: Keycloak vulnerable to LDAP Injection on UsernameForm Login

A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server.

GHSA-2wmj-46rj-qm2w: ZITADEL Account Takeover via Malicious Host Header Injection

### Impact ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. ### Patches The patched ZITADEL versions verify, that the auth requests instance is retrieved by the requests original domain (from the Forwarded or X-Forwarded-Host headers if available). If the instance can't be found using the original host or the auth request can't be found within that instance, ZITADEL throws an error. 2.x versions are fixed on >= [2.41.6](https://github.com/zitadel/zitadel/releases/tag/v2.41.6) 2.40.x versions are fixed on >= [2.40.10](https://github.com/zitadel/zitadel/releases/tag/v2.40.10) 2.39.x versio...

CVE-2023-49082: ClientSession is vulnerable to CRLF injection via method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.