#asp.net

Introduction Microsoft engineering teams use the Security Development Lifecycle to ensure our products are built in alignment with Microsoft’s Secure Future Initiative security principles: Secure by Design, Secure by Default, and Secure Operations. A key component of the Security Development Lifecycle is security testing, which aims to discover and mitigate security vulnerabilities before adversaries can exploit them.

TX Text Control .NET Server For ASP.NET has an issue where it was possible to change the configured system path for reading and writing files in the underlying operating system with privileges of the user running a web application.

TX Text Control .NET Server For ASP.NET has an issue where it was possible to change the configured system path for reading and writing files in the underlying operating system with privileges of the user running a web application.

# Microsoft Security Advisory CVE-2024-38229 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free. Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3, please upgrade to .NET 8.0.10. .NET 6.0 will not receive a security patch for this vulnerability. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/326 ## <a name="mitigation-factors"></a>Mitigation factors HTTP/3 support is not enabled by default in ASP.NET Core applications. For more information on how ...

Cisco Talos is disclosing a new threat called “DragonRank” that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation.

# Microsoft Security Advisory CVE-2024-38168 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when an attacker through unauthenticated requests may trigger a Denial of Service in ASP.NET HTTP.sys web server. This is a windows OS only vulnerability. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/320 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.7 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any M...

### Impact It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. _Note: by itself, this vulnerability does **not** allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials._ ### Affected Methods - In the `DefaultIdentityServerInteractionService`, the `GetAuthorizationContextAsync` method may return non-null and the `IsValidReturnUrl` method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to. _UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, Conse...

Hospital Management System Project in ASP.Net MVC version 1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Red Hat Security Advisory 2024-4451-03 - An update for dotnet8.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-4450-03 - An update for dotnet8.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.