#web

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions before 2.23.6, greater than or equal to 2.24.0, before 2.24.4 and greater than equal to 2.25.0, and before 2.25.1, multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.

Russian hacktivists claim DDoS attacks against basic tourist websites. Is it real, or just smoke and mirrors?

Red Hat Security Advisory 2024-4517-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-4508-03 - An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Security Advisory 2024-4501-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-4500-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.

### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally. Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package...

### Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. ### Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. #### Proposal how to resolve it: ``` return $this->publicKeyCredentialRequestOptionsFactory->create( $this->profile, count($allowedCredentials) <= 0 ? self::getRandomCredentials(): $allowedCredentials, $optionsRequest->userVerification, $extensions ); private static function getRandomCredentials(): array { $credentialSources = []; for ($i = 0; $i <= rand(0,1); $i++) { $credentialSources[] = new PublicKeyCredentialSource( random_bytes(32), "public-key", [], ...

The breach affects older customer information involved in purchases made from June 6, 2017, up until July 30, 2018.

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain.