#sql

The threat actors are abusing the vulnerabilities to gain initial access, obtain credentials, and install malicious scripts on user devices.

### Impact This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if your shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored XSS in FO. ### Patches The long term fix is to have all your modules maintained and updated. The fix on ps_contactinfo will keep formatted addresses from displaying an xss stored in the database. ### Workarounds none ### References none

### Summary Content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. ### Details During a pentest, a security researcher was able to access environment variable data and other system data by using the `sniff_csv` function, even though we set `enable_external_access` to false. ### PoC ```SQL SET enable_external_access=false; SET lock_configuration=true; SELECT Columns FROM sniff_csv('/proc/self/environ'); ``` ### Impact Provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. For example `select * from read_csv('/proc/self/environ')` fails with a permission error. There seems to be two vectors to this vulnerability: 1. Access to files that should otherwise not be allowed. (We expect `Permission Error: Scanning CSV files is disabled through configuration` and not to provide any access to the file or even acknowledge that it exists). 2. The c...

### Summary Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions. ### Details Security attributes like HttpOnly and SameSite are missing from the session cookie, allowing its use from XHR requests and form submissions. The CodeChecker API endpoints only require the session cookie, they do not require a CSRF token, and missing HTTP headers allow the form submission to succeed (but not XHR). This means that the attacker needs to know the ID of products to edit or delete them, but it does not need knowledge to create new products with the SQLite backend. ### PoC With a superuser logged into CodeChecker. ```html <html><body> <form action="https://codechecker.example.com/v6.58/Products" method="POST" enctype="text/plain"> <input type="text" name='[1,"getProducts",1,1,{}]' value=''> </form> <script>document.forms[0].submit()</script> </body></html> ``` Or the same f...

An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.

WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

# Affected versions: - Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0 # Description: In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.6.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0.

New year, same story. Despite Ivanti's commitment to secure-by-design principles, threat actors — possibly the same ones as before — are exploiting its edge devices for the nth time.

Since 2019, MirrorFace has been stealing information from myriad Japanese organizations to gain leverage over Japan in the event of hostilities between the two countries, experts said.

**Vulnerability Summary** A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay `node` interface. **Affected Components** - Strawberry GraphQL relay integration - Specifically impacts implementations using: - Django integration - SQLAlchemy integration - Pydantic integration **Technical Details** The vulnerability manifests when: 1. Multiple GraphQL types inherit from `relay.Node` 2. These types are mapped to the same database model 3. The global `node` field is used for type resolution Example of vulnerable code: ```python from fruits.models import Fruit import strawberry_django import strawberry @strawberry_django.type(Fruit) class FruitType(relay.Node): name: strawberry.auto @strawberry_django.type(Fruit) class SpecialFruitType(relay.Node): secret_name: ...