Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-96g7-g7g9-jxw8: happy-dom allows for server side code to be executed by a <script> tag

Fixes security vulnerability that allowed for server side code to be executed by a <script> tag ### Impact Consumers of the NPM package `happy-dom` ### Patches The security vulnerability has been patched in v15.10.1 ### Workarounds No easy workarounds to my knowledge ### References [#1585](https://github.com/capricorn86/happy-dom/issues/1585)

ghsa
Open in Source
#vulnerability#web#nodejs#git#auth
GHSA-qq5c-677p-737q: Symfony vulnerable to command execution hijack on Windows with Process class

### Description On Window, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

GHSA-mrqx-rp3w-jpjp: Symfony vulnerable to open redirect via browser-sanitized URLs

### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush for reporting the issue and Nicolas Grekas for providing the fix.

GHSA-g3rh-rrhp-jhh9: Symfony has an incorrect response from Validator when input ends with `\n`

### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

GHSA-9c3x-r3wp-mgxm: Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. ### Credits We would like to thank Linus Karlsson for reporting the issue and Nicolas Grekas for providing the fix.

GHSA-jxgr-3v7q-3w9v: Symfony's `Security::login` does not take into account custom `user_checker`

### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

GHSA-x8vp-gf4q-mw5j: Symfony allows changing the environment through a query

### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

How to Outsmart Stealthy E-Crime and Nation-State Threats

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities. "Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute

8 security tips for small businesses

Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.