Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

GHSA-88g2-r9rw-g55h: gitoxide-core does not neutralize special characters for terminals

### Summary The `gix` and `ein` commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages. ### Details `gitoxide-core`, which provides most underlying functionality of the `gix` and `ein` commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. ANSI escape sequences are of particular concern because, when printed to a terminal, they can change colors, including to render subsequent text unreadable; reposition the cursor to write text in a different location, including where text has a...

ghsa
Open in Source
#windows#git#auth
Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control

Details have emerged about a China-nexus threat group's exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliance and evade detection. The activity, attributed to Velvet Ant, was observed early this year and involved the weaponization of CVE-2024-20399 (CVSS score: 6.0) to deliver bespoke malware and gain extensive control

DIAEnergie 1.10 SQL Injection

This Metasploit module exploit a remote SQL injection vulnerability in the CBEC service of DIAEnergie versions 1.10 and below from Delta Electronics. The commands will get executed in the context of NT AUTHORITY\SYSTEM.

SPIP 4.2.12 Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a payload manipulating the templating data processed by the echappe_retour() function, invoking traitements_previsu_php_modeles_eval(), which contains an eval() call.

AVMS Project 1.0 SQL Injection

AVMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Online Survey System 1.0 Cross Site Request Forgery

Online Survey System version 1.0 suffers from a cross site request forgery vulnerability.

Online Shopping System Master 1.0 Cross Site Request Forgery

Online Shopping System Master version 1.0 suffers from a cross site request forgery vulnerability.

Online Banking System 1.0 Arbitrary File Upload

Online Banking System version 1.0 suffers from an arbitrary file upload vulnerability.

Online ID Generator 1.0 Cross Site Request Forgery

Online ID Generator version 1.0 suffers from a cross site request forgery vulnerability.

Red Hat Security Advisory 2024-5749-03

Red Hat Security Advisory 2024-5749-03 - The components for Red Hat OpenShift for Windows Containers 10.16.1 are now available.