#js

BioTime versions 8.5.5 and 9.0.1 suffer from directory traversal and file write vulnerabilities. This exploit also achieves remote code execution on version 8.5.5.

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

### Impact A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. ### Patches This issue is patched in 18.3.1 ### Workarounds No workarounds, please update to a patched version of `@electron/packager` immediately if impacated.

### Impact A user can reuse an expired session by controlling the `x-workos-session` header. ### Patches Patched in https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2

### Summary The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. ### Details When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. Example: There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2. In the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1. In the API, however, he has access to E1 **and E2**. Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets...

### Impact When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves content that can be partially controlled by external users Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. ### Patches Available in version 1.3.0 . ### Workarounds - Do not enable CSP headers generation. - Use it only for dynamically generated content that cannot be controlled by external users in any way. ### References _Are there any links users can visit to find out more?_

Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

By Uzair Amir Building on Plasma Next would make the DEX as convenient as CEX for trading with low fees, slippage, and waiting period. This is a post from HackRead.com Read the original post: IdeaSoft To Launch an Innovative Perpetual DEX on INTMAX’s Open-source L2 Plasma Next

How experts uncovered a years-long SolarMarker attack on a K-12 district