Latest News

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.

Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

### Impact Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. ### Patches The problem has been fixed with PRs deepset-ai/haystack#8095 and deepset-ai/haystack#8096. Both have been released with Haystack `2.3.1`. ### Workarounds Prevent users from running the affected Components, or only let users use preselected templates. ### References The list of impacted Components can be found in the release notes for `2.3.1`. https://github.com/deepset-ai/haystack/releases/tag/v2.3.1

### Impact Tokens with third-party blocks containing trusted annotations generated through a third party block request. Due to implementation issues in biscuit-java, third party block support in published versions is inoperating. Nevertheless, to synchronize with other implementations, we publish this advisory and the related fix. ### Description Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: the public key of the previous block (used in the signature) the public keys part of the token symbol table (for public key interning in datalog expressions) A third-part block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. Consider the following example (nominal case) * Authority A emits the following token: `check if thirdparty("b")...

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the `--pass` parameter is passed in the command invocation.

### Impact The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the upload. In effect, an attacker will have to trick an editor/administrator into uploading a strangely named file. The fix ensures XSS is escaped. ### Patches See "Patched versions". Commit: https://github.com/ezsystems/ezplatform-admin-ui/commit/7a9f991b200fa5a03d49cd07f50577c8bc90a30b ### Workarounds None. ### References - https://developers.ibexa.co/security-advisories/ibexa-sa-2024-004-dom-based-xss-in-file-upload - https://github.com/ezsystems/ezplatform-admin-ui/commit/7a9f991b200fa5a03d49cd07f50577c8bc90a30b - https://github.com/ibexa/admin-ui/security/advisories/GHSA-qm44-wjm2-pr59 ### Credit This vulnerability was discovered and reported to Ibexa by Alec Romano: https://github.com/4rd...

### Impact By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than edit on the specific document, change the whole content to `<script>alert('XSS')</script>`. When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.8 and 16.3.0RC1. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21626 * https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc...

### Impact Harbor fails to validate the maintainer role permissions when creating/updating/deleting project configurations - API call: - PUT /projects/{project_name_or_id}/metadatas/{meta_name} - POST /projects/{project_name_or_id}/metadatas/{meta_name} - DELETE /projects/{project_name_or_id}/metadatas/{meta_name} By sending a request to create/update/delete a metadata with an name that belongs to a project that the currently authenticated and granted to the maintainer role user doesn’t have access to, the attacker could modify configurations in the current project. BTW: the maintainer role in Harbor was intended for individuals who closely support the project admin in maintaining the project but lack configuration management permissions. However, the maintainer role can utilize the metadata API to circumvent this limitation. It's important to note that any potential attacker must be authenticated and granted a specific project maintainer role to modify configurations, limiting thei...

Meta has settled a Texas lawsuit over gathering biometric data for Facebook's "Tag Suggestions" feature without informed consent.

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.