Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

GHSA-v26r-4c9c-h3j6: gix-path uses local config across repos when it is the highest scope

### Summary `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository's remote. ### Details In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest [scope](https://git-scm.com/docs/git-config#SCOPES): https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91 https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13...

ghsa
Open in Source
#vulnerability#ios#mac#windows#apple#git#auth
Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

Webpay E-Commerce 1.0 SQL Injection

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

Online Traffic Offense 1.0 Cross Site Request Forgery

Online Traffic Offense version 1.0 suffers from a cross site request forgery vulnerability.

Penglead 2.0 Cross Site Scripting

Penglead version 2.0 suffers from a cross site scripting vulnerability.

PPDB 2.4-update 6118-1 Cross Site Request Forgery

PPDB version 2.4-update 6118-1 suffers from a cross site request forgery vulnerability.

Online Travel Agency System 1.0 Arbitrary File Upload

Online Travel Agency System version 1.0 suffers from an arbitrary file upload vulnerability.

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. "Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools. "For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which