#auth

## Description The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem. The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server. This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors. ## Steps to Reproduce 1. Create a test bucket using PUT request to http://[server]/[b...

## Description The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML. The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document. This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses...

This week on the Lock and Code podcast, we speak with Tim Shott about his attempt to find his location data following a major data breach.

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk.

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references. ## Original Description picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Plus: The world’s “largest illicit online marketplace” gets hit by regulators, police seize the Garantex crypto exchange, and scammers trick targets by making up ransomware attacks.

**Nature of issue:** Crash (Denial of Service) **Source of issue:** Dependent package (ring) **Affected versions of qcp:** 0.1.0-0.3.2 **Recommendation:** Upgrade to qcp 0.3.3 or later ### Who is affected All versions of qcp from 0.1.0 to 0.3.2 are affected, but **only if built with runtime overflow checks.** * Released qcp binaries do not enable runtime overflow checks by default. **If you use an official released qcp binary download, you are not affected.** * If you built qcp yourself in debug mode, you are affected unless your debug configuration explicitly disables overflow checks. * If you built qcp yourself in release mode, you are only affected if you explicitly requested runtime overflow checks at build time by setting the appropriate `RUSTFLAGS`, or in your Cargo.toml profile. ### What to do if you are affected **We recommend you upgrade to qcp 0.3.3 or later.** Users upgrading from versions prior to 0.3.0 should note that an incompatible protocol change was introduced in...

In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.