Security
Headlines
HeadlinesLatestCVEs

Latest News

CISA Urges Software Makers to Eliminate XSS Flaws

The latest Secure by Design alert from CISA outlines recommended actions security teams should implement to reduce the prevalence of cross-site scripting vulnerabilities in software.

DARKReading
#sql#xss#vulnerability#web#perl#auth
GHSA-qjxf-mc72-wjr2: Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length

### Summary Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226). Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes. ### Remediation Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer. If upgrading is not possible, you can override the default `otp_secret_length` attribute in the model when configuring `two_factor_authenticable` and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long. After upgrading or implementing the workaround, applications using Devise-Two-Fac...

GHSA-5j94-f3mf-8685: @backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection

### Impact An attacker with control of the contents of the TechDocs storage buckets is able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. ### Patches This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. ### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)

GHSA-p72w-r6fv-6g5h: druid-pac4j, Apache Druid extension, has Padding Oracle vulnerability

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

GHSA-998c-q8hh-h8gv: Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page. This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

GHSA-jh66-3545-vpm7: Apache Druid: Users can provide MySQL JDBC properties not on allow list

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1.

GHSA-39v3-f278-vj3g: @backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability

### Impact When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. ### Patches This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package. ### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)

GHSA-3x3f-jcp3-g22j: @backstage/plugin-catalog-backend Prototype Pollution vulnerability

### Impact A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. ### Patches This has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend` package. ### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)

Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.

'Marko Polo' Creates Globe-Spanning Cybercrime Juggernaut

The Eastern European group is actively expanding its financial fraud activities, with its pipelines representing a veritable Silk Road for the transfer of cryptocurrency, and lucrative and exploitable data.