Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-94g8-xv23-7656: Vaadin Flow Components possible file bypass via upload validation on the server-side

### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

ghsa
Open in Source
#vulnerability#web#auth
GHSA-9gfh-4fwj-w3rj: Vaadin Framework possible file bypass via upload validation on the server-side

### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. Users of affected versions should apply the upgrade to a more recent Vaadin version.

GHSA-cgrg-86m5-xm4w: Memos Vulnerable to Stored Cross-Site Scripting

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

GHSA-78j5-8vq7-jxv5: Memos Vulnerable to Path Traversal via the CreateResource Endpoint

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

UltraViolet Expands AppSec Capabilities With Black Duck's Testing Business

The addition of Black Duck's application security testing offering to UltraViolet Cyber's portfolio helps security teams find and remediate issues earlier in the security lifecycle.

GHSA-vxmw-7h4f-hqxh: PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps

### Summary `gh-action-pypi-publish` makes use of GitHub Actions expression expansions (i.e. `${{ ... }}`) in contexts that are potentially attacker controllable. Depending on the trigger used to invoke `gh-action-pypi-publish`, this may allow an attacker to execute arbitrary code within the context of a workflow step that invokes `gh-action-pypi-publish`. ### Details `gh-action-pypi-publish` contains a composite action step, `set-repo-and-ref`, that makes use of expression expansions: ```yaml - name: Set repo and ref from which to run Docker container action id: set-repo-and-ref run: | # Set repo and ref from which to run Docker container action # to handle cases in which `github.action_` context is not set # https://github.com/actions/runner/issues/2473 REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }} REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }} REPO_ID=${{ env.PR_REPO_ID || github.repository_id }} e...

GHSA-377j-wj38-4728: Weblate has a long session expiry when verifying second factor

### Impact The verification of the second factor had too long a session expiry. The long session expiry could be used to circumvent rate limiting of the second factor. ### Patches This issue has been addressed in Weblate 5.13.1 via https://github.com/WeblateOrg/weblate/pull/16002. ### References Thanks to Nahid Hasan Limon for reporting this issue responsibly.

How Gray-Zone Hosting Companies Protect Data the US Wants Erased

The digital refuge: Abortion clinics, activist groups, and other organizations are turning to overseas hosting providers willing to keep their data — and their work — safe.

Roblox introduces age checks to use communication features

Roblox announced plans to roll out age estimation for using the communication features on the platform to help fight sexual predators.