#perl

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges. "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and

The [Datatables view plugin](https://docs.ckan.org/en/2.10/maintaining/data-viewer.html#datatables-view) did not properly escape record data coming from the DataStore, leading to a potential XSS vector. ### Impact Sites running CKAN >= 2.7.0 with the `datatables_view` plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data. ### Patches This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0 ### Workarounds Prevent importing of tabular files to the DataStore via DataPusher, XLoader,etc, at least those published from untrusted sources.

Ubuntu Security Notice 6966-2 - USN-6966-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox. Nan Wang discovered that Firefox did not properly handle type check in WebAssembly. An attacker could potentially exploit this issue to execute arbitrary code. Irvan Kurniawan discovered that Firefox did not properly check an attribute value in the editor component, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service ...

Cisco Talos has uncovered a new remote access trojan (RAT) family we are calling “MoonPeak.” This a XenoRAT-based malware, which is under active development by a North Korean nexus cluster we are calling “UAT-5394.”

Ubuntu Security Notice 6969-1 - It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.

Ubuntu Security Notice 6967-1 - It was discovered that some Intel® Core™ Ultra Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not correctly transition between the executive monitor and SMI transfer monitor. A privileged local attacker could use this to escalate their privileges.

The Texas Attorney General is suing GM for selling driving data to third parties where they would end up in the hands of insurance companies.

### Summary Upon reviewing the MobSF source code, I identified a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF. ### Details Upon examining lines 183-192 of the `mobsf/StaticAnalyzer/views/common/shared_func.py` file, it is observed that there is a mitigation against Zip Slip attacks implemented as `a.decode('utf-8', 'ignore').replace('../', '').replace('..\\', '')`. However, this measure can be bypassed using sequences like `....//....//....//`. Since the replace operation is not recursive, this sequence is transformed into `../../../` after the replace operation, allowing files to be written to upper directories. <img width="448" alt="image" src="https://github.com/user-attachments/assets/fadf...

Ubuntu Security Notice 6966-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox.

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.