#vulnerability

Red Hat Security Advisory 2024-8838-03 - An update for python3.11 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-8836-03 - An update for python3.12 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-8834-03 - An update for python-gevent is now available for Red Hat Enterprise Linux 8. Issues addressed include a privilege escalation vulnerability.

### Summary XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. ### Details When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template. ``` <p align="center"> <a href="https://www.osmedeus.org"><img alt="Osmedeus" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="140" /></a> <br /> <br /> <strong>Execute Summary Generated by Osmedeus {{Version}} at <em>{{CurrentDay}}</em></strong> <p align="center"> <a href="https://docs.osmedeus.org/"><img src="https://img.shields.io/badge/Documentation-0078D4?style=for-the-badge&logo=GitBook&logoColor=39ff14&labelColor=black&color=black"></a> <a href="https://docs.osmedeus.org/donation/"><img src="https://img.shields.io/badge/Donation-0078D4?style=for-the-badge&logo=GitHub-Sponsors&logoColor=39ff14&labelColor=...

### Impact OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. ### Patches The vulnerability will be patched in version 1.10.3. ### Credits This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.

### Impact OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. ### Patches The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog will be patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to glob...

Government and industry want to jump-start the conversation around "human-centric cybersecurity" to boost the usability and effectiveness of security products and services.

The FBI has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, whether or not someone has set up MFA.

A vulnerability was identified in a PHP script where an off-by-one error in array access could lead to undefined behavior and potential DoS. The issue arises in a loop that iterates over an array using a <= condition, allowing access to an out-of-bounds index. This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets.

Episode #4: NIST's new post-quantum cryptography standards are here, so what comes next? This episode of Dark Reading Confidential digs into the world of quantum computing from a cybersecurity practitioner's point of view — with guests Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT) and Thomas Scanlon, professor, Heinz College, Carnegie Mellon University.