Latest News

### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener noreferrer"` attribute. This allows the opened page to use the `window.opener` property to change the location of the original HFS tab. ### Details While most modern browsers have fixes already implemented for this `target="_blank"` exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious. ### Impact Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensit...

### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configured to debug or `log_exceptions` is set to "always", which allows attackers to inject newlines and forge log entries. ### Details Litestar directly formats unquoted path into exception logs without validation or escaping when using default exception logging handler. https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/litestar/logging/config.py#L145-L150 Attackers can inject newlines in logs by embedding`%0d%0a` in url path. `log_exceptions="always"` is not enabled by default. However, it is set in the examples of documentation (https://github.com/litestar-org/litestar/blob/1e0dc7c4d67151c836208a3e360051e983b5083a/docs/usage/logging.rst#logging). User will be impacted if they directly copy the logging config from docs. ### PoC ``` curl "http://172.17.0.2:8000/%29%0D%0AINFO:%20%20%20%20%20127.0.0.1:819...

### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. ### Patches This has been fixed in slab v0.4.11. ### Workarounds Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later. ### References - [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)

Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the update channel subscription endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.

Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits to the server webhook endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the create channel subscription endpoint with an invalid request body.

Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without proper access to the channel via an API call to the edit channel subscription endpoint.

Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint.