#microsoft

### Impact Datasets exported to file (e.g. CSV / XLS) are not sufficiently sanitized, to neutralize potential formula injection ### Patches - The issue is addressed in the upcoming 0.8.0 release - This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release ### Workarounds Users exporting untrusted data should open the files in safe mode (e.g. in Microsoft Excel). ### References - https://huntr.dev/bounties/e57c36e7-fa39-435f-944a-3a52ee066f73/ - https://owasp.org/www-community/attacks/CSV_Injection ### For more information If you have any questions or comments about this advisory: * Open an issue in [github](http://github.com/inventree/inventree) * Email us at [[email protected]](mailto:[email protected])

Affected versions of this crate did not require event handlers to have `Send` bound despite there being no guarantee of them being called on any particular thread, which can potentially lead to data races and undefined behavior. The flaw was corrected in commit [afe3252](https://github.com/microsoft/windows-rs/commit/afe32525c22209aa8f632a0f4ad607863b51796a) by adding `Send` bounds.

Affected version of this crate, which is a required dependency in com-impl, provides a faulty implementation of the `IUnknown::QueryInterface` method. `QueryInterface` implementation must call `IUnknown::AddRef` before returning the pointer, as describe in this documentation: <https://docs.microsoft.com/en-us/windows/win32/api/unknwn/nf-unknwn-iunknown-queryinterface(refiid_void)> As it is not incrementing the refcount as expected, the following calls to `IUnknown::Release` method will cause WMI to drop reference to the interface, and can lead to invalid reference. This is documented in <https://docs.microsoft.com/en-us/windows/win32/learnwin32/managing-the-lifetime-of-an-object#reference-counting> There is no simple workaround, as you can't know how many time QueryInterface will be called. The only way to quick fix this is to use the macro expanded version of the code and modify the QueryInterface method to add the AddRef call yourself. The issue was corrected in commit `9803f...

By Owais Sultan Microsoft is a global leader in cloud storage and data protection. They prove that even the most respected… This is a post from HackRead.com Read the original post: How Data Landlords Put Their Tenants at Risk

JForum v2.8.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via http://target_host:port/jforum-2.8.0/jforum.page, which allows attackers to arbitrarily add admin accounts.

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say.

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.   But after spending a few days on the show floor and interacting with everyone, there are a... [[ This is only the beginning! Please visit the blog for the complete entry ]]

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks. Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and