#web

Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

### Summary There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. ### Details Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. ### Credits Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team

### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.1` ### Workarounds None ### References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256

### Summary An **unauthenticated information disclosure vulnerability** exists in the PSU deployment of HAX CMS via the `haxPsuUsage` API endpoint. This allows **any remote unauthenticated user** to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. --- ### Details The endpoint [`https://open-apis.hax.cloud/api/services/stats/haxPsuUsage`](https://open-apis.hax.cloud/api/services/stats/haxPsuUsage) returns a list of websites on the PSU instance of HAX CMS. This endpoint is exposed without any authentication or authorization checks. The source of the issue is in the `haxPsuUsage.js` file, which appears to directly serve the site listing without verifying user identity or access level. This enables anyone with the endpoint URL to enumerate all site instances under the PSU deployment. This endpoint may have originally been used f...

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.

After three years of peddling stolen data, BidenCash, one of the web's most brazen cybercrime hubs is offline, and authorities say they're just getting started.

A requirement that ICE agents ensure courthouse arrests don’t clash with state and local laws has been rescinded by the agency. ICE declined to explain what that means for future enforcement.

## Summary It is possible to bypass Deno's read/write permission checks by using `ATTACH DATABASE` statement. ## PoC ```js // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); ``` ``` $ deno poc.js ```

### Summary `deno run --allow-read --deny-read main.ts` results in allowed, even though 'deny' should be stronger. Same with all global unary permissions given as `--allow-* --deny-*`. ### Details Caused by the fast exit logic in #22894. ### PoC Run the above command expecting no permissions to be passed. ### Impact This only affects a nonsensical combination of flags, so there shouldn't be a real impact on the userbase.