#js

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately

Octocat.js is a library used to render a set of options into an SVG. Versions prior to 1.2 are subject to JavaScript injection via user provided URLs. Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. This vulnerability was fixed in version 1.2 of octocat.js. As a workaround, writing an image to disk then using that image in an image element in HTML mitigates the risk.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET, .NET Core and .NET Framework's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. A vulnerability exists in System.Data.SqlClient and Microsoft.Data.SqlClient libraries where a timeout occurring under high load can cause incorrect data to be returned as the result of an asynchronously executed query. ## <a name="mitigation-factors"></a>Mitigation factors If you are not talking to Microsoft SQL Server from your application you are not affected by this vulnerability. ### <a name="how-affected"></a>How do I know if I am affected? .NET has two types of dependencies: direct and transitive. Direct dependencies are dependencies where you specifically add a package to your project, transitive dependencies occur when you add a package to your project that in turn relies on another package. For example, the Microsoft.AspNetCore.Mvc package depends on the Microsoft.AspNetCore...

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

By Waqas It has been identified that these malicious packages are downloaded over 29 million times each day. This is a post from HackRead.com Read the original post: Python Developers Beware: Malicious Packages are Swapping Out Your Crypto Addresses

### Impact Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. ### Patches This vulnerability was fixed in version 1.2 of octocat.js ### Workarounds Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk. ### References To render the file correctly, see documentation at `readme.md` ### For more information If you have any questions or comments about this advisory: * Open an issue in [the octo.js repository](http://github.com/octocademy/octocat.js/issues)

An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media.

Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.