Latest News
### Summary Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. ### Details Many people who run DNN sites have a number of installed themes that they do not actually use. This could be because they were testing many themes during initial setup, because they have changed themes over time, or because they have development and production versions of a theme. Whatever the reason, many times the unused themes will become outdated over time as site admins wouldn't have reason to update something that is not used. However, this could introduce an entry point to exploit a vulnerable theme by making the server run the unused theme for unsuspecting client requests. Depending on the vulnerability in a theme, this could lead to server side or client side arbitrary code execution. With DNN 10.1.0 this functionality is now disabled by...
### Summary The lack of sanitization of URLs protocols in the `createLink.openLink` function enables the execution of arbitrary JavaScript code within the context of the parent page. ### Details https://github.com/FrontFin/mesh-web-sdk/blob/cf013b85ab95d64c63cbe46d6cb14695474924e7/packages/link/src/Link.ts#L441 The `createLink.openLink` function takes base64 encoded links, decodes them, and then sets the resulting string as the `src` attribute of an `iframe`. It’s important to note that the protocol part is not validated, so a payload, which is a valid URL, such as `javascript:alert(document.domain)//`, can be provided to the function. ### PoC 1. Extract [poc-mesh-web-sdk.zip](https://github.com/user-attachments/files/22223079/poc-mesh-web-sdk.zip) 2. Run `yarn install` and then `yarn start` 3. Paste this payload inside the input box: `amF2YXNjcmlwdDphbGVydCh3aW5kb3cucGFyZW50LmRvY3VtZW50LmJvZHkuZ2V0RWxlbWVudHNCeVRhZ05hbWUoImgyIikuaXRlbSgwKVsiaW5uZXJIVE1MIl0pLy8=` 4. Click on the _Ope...
"Nimbus Manticore" is back at it, this time with improved variants of its flagship malware and targets that are outside its usual focus area.
Threat actors are using a large-scale SEO poisoning campaign and fake GitHub repositories to deliver Atomic infostealers to Mac users.
Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a publication’s “Name” text field.
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
### Summary CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal `ldlogger` library, which is executed by the `CodeChecker log` command. ### Details Unsafe usage of `strcpy()` function in the internal `ldlogger` library allows attackers to trigger a buffer overflow by supplying crafted inputs from the command line. Specifically, the destination buffer is stack-allocated with a fixed size of 4096 bytes, while `strcpy()` is called without any length checks, enabling an attacker to overrun the buffer. ### PoC Example script is included below to illustrate how this vulnerability can be exploited. ```bash #!/bin/bash export CC_LOGGER_DEF_DIRS=1; payload=''; for i in $(seq 1 4090); do payload+='A'; done CodeChecker log -b "/very/long/path/to/$payload/gcc a.c" -o compilation.json ``` ### Impact Any environment where the vulnerable `CodeChecker log` command is executed with untrusted user input is affected by this vulnerability.
### Impact An HTML injection vulnerability in plaintext e-mails generated by Mailgen has been discovered. Your project is affected if you make use of the `Mailgen.generatePlaintext(email);` method and pass in user-generated content. The issue has been discovered and reported by Edoardo Ottavianelli (@edoardottt). ### Patches The vulnerability has been patched in commit https://github.com/eladnava/mailgen/commit/741a0190ddae0f408b22ae3b5f0f4c3f5cf4f11d and released to `npm` in version `2.0.30`. ### Workarounds Strip all HTML tags yourself before passing any content into `Mailgen.generatePlaintext(email);`. Thanks to Edoardo Ottavianelli (@edoardottt) for discovering and reporting this vulnerability.
## Background on the vulnerability This vulnerability manifests with the library's primary exported API: `gitCommiters(options, callback)` which allows specifying options such as `cwd` for current working directory and `revisionRange` as a revision pointer, such as `HEAD`. However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution. ## Exploit 1. Install `git-commiters@0.1.1` or earlier 2. Initiaizlie a new Git directory with commits in it 3. Create the following script in that directory: ```js var gitCommiters = require("git-commiters"); var options = { cwd: "./", revisionRange: "HEAD; touch /tmp/pwn; #", }; gitCommiters(options, function (err, result) { if (err) console.log(err); else console.log(result); }); ``` 3. Observe new file created on disk at `/tmp/pwn` The git commiters functionality works as expected, too, ...
## Background on exploitation This vulnerability manifests with the library's `getTags()` API, which allows specifying extra parameters passed to the `git log` command. In another API by this library - `getRawCommits()` there are secure practices taken to ensure that the extra parameter `path` is unable to inject an argument by ending the `git log` command with the special shell syntax `--`. However, the library does not follow the same practice for `getTags()` not attempts to sanitize for user input, validate the given params, or restrcit them to an allow list. Nor does it properly pass command-line flags to the `git` binary using the double-dash POSIX characters (`--`) to communicate the end of options. Thus, allowing users to exploit an argument injection vulnerability in Git due to the `--output=` command-line option that results with overwriting arbitrary files. ## Exploit 1. Install `@conventional-changelog/git-client@1.0.1` or earlier 2. Prepare a Git directory to be used as...