#perl

Ubuntu Security Notice 7053-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or potentially leak sensitive information. These vulnerabilities included heap and stack-based buffer overflows, memory leaks, and improper handling of uninitialized values.

Ubuntu Security Notice 7054-1 - It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code.

The building management system suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'downloadDb.php' script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

### Summary A user with admin permission can read arbitrary file and directory names on the filesystem by calling the `admin/build-mobile-app/result?build_dir_name=` endpoint. The `build_dir_name` parameter is not properly validated and it's then used to construct the `buildDir` that is read. The file/directory names under the `buildDir` will be returned. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893 ```js router.get( "/build-mobile-app/result", isAdmin, error_catcher(async (req, res) => { const { build_dir_name } = req.query; // [1] source const rootFolder = await File.rootFolder(); const buildDir = path.join( rootFolder.location, "mobile_app", build_dir_name // [2] ); const files = await Promise.all( fs .readdirSync(buildDir) // [3] sink .map(async (outFile) => await File.from_file_on_disk(outFile, buildDir)) ); [...] }) ); ``` ...

### Summary A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify the zip file is not properly sanitized when passed to `res.download` API. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L671-L682 ```js router.get( "/auto-backup-download/:filename", isAdmin, error_catcher(async (req, res) => { const { filename } = req.params; // [1] source [...] if ( !isRoot || !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip")) // [2] ) { res.redirect("/admin/backup"); return; } const auto_backup_directory = getState().getConfig("auto_backup_directory"); res.download(path.join(auto_backup_directory, filename), filename); // [3] sink }) ); ``` ### Steps to reproduce (PoC) - create a file with `.zip` extension under `/tmp` folder: ``` echo "secret12345" > /tmp/secret.zip ``` - log...

For years, securing a company’s systems was synonymous with securing its “perimeter.” There was what was safe “inside” and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

Portainer before 2.20.2 improperly uses an encryption algorithm in the `AesEncrypt` function.

The bug gives attackers a way to run arbitrary code on affected servers and take control of them.

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.