#web

### Impact The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the internals and the backend infrastructure, such as various settings, servers’ addresses and ports and database username. This information is useful for administrative users as well as attackers, thus it should not be revealed to low-privileged users. This vulnerability allows Admin UI users with roles lower than the owner role e.g. the viewer role to retrieve the config information using the API. ### Patches The vulnerability has been patched in Fides version `2.22.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds.

### Impact The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems and exfiltrate data outside the environment (also known as a Server-Side Request Forgery). The application does not perform proper validation to block attempts to connect to internal (including localhost) resources. Exploitation is limited to API clients with the `CONNECTOR_TEMPLATE_REGISTER` authorization scope. In the Fides Admin UI this scope is restricted to highly privileged users, specifically root users and users with the owner role. ### Patches The vulnerability has been patched in Fides version `2.22.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds.

### Impact The length of URIs and the various parts (eg path segments, query parameters) is usually limited by the webserver processing the incoming request. In the case of Puma the defaults are : - path segment length: 8192 - Max URI length: 1024 * 12 - Max query length: 1024 * 10 See https://github.com/puma/puma/blob/master/docs/compile_options.md If too long Puma raises: > Puma caught this error: HTTP element REQUEST_PATH is longer than the (8192) allowed length (was 12503) (Puma::HttpParserError) However due to the performance of `hashids` extremely long encoded IDs will consume a large amount of CPU and allocate a huge number of intermediate objects. For example: ``` curl -vvv https://localhost.ssl:3000//dos?id=abcd-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...

### Impact Parse Server crashes when uploading a file without extension. ### Patches A permanent fix has been implemented to prevent the server from crashing. ### Workarounds There are no known workarounds. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579 - Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1 - Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6

Categories: News Tags: 1Password Tags: Okta Tags: HAR file Tags: session Password manager 1Password says it’s been affected by a breach at Okta, but it reports no user data has been stolen. (Read more...) The post 1Password reports security incident after breach at Okta appeared first on Malwarebytes Labs.

Cross Site Scripting (XSS) vulnerability in Geeklog-Core geeklog v.2.2.2 allows a remote attacker to execute arbitrary code via a crafted payload to the Service, and website URL to Ping parameters of the admin/trackback.php component.

By Owais Sultan Incident management software is crucial for efficiently handling and resolving unexpected incidents and disruptions, ensuring minimal downtime and… This is a post from HackRead.com Read the original post: What Is Incident Management Software?

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.

kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics.