#auth

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network.

Improper privilege management in SQL Server allows an authorized attacker to elevate privileges locally.

Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network.

Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally.

Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally.

### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` when handling `STACK_GLOBAL` at position `n`, it is expected to track two arguments but in wrong range. The loop only consider the range from `1` to `n-1` but forgets to consider the opcode at position `0`. The correct range should be `0` to `n-1`. Attacker can put arg in position `0`, thus the parser can only tract one argument. Then, the exception https://github.com/mmaitre314/picklescan/blob/2a8383cfeb4158567f9770d86597300c9e508d0f/src/picklescan/scanner.py#L281 will be triggered. Thus it can cause detection bypass since the malicious pickle file will trigger unexpected exceptions. Example: ``` 0: S STRING 'os' --> arg 0: STRING (untracked argument due to wrong scanning range) 6: S STRING 'system' --> arg 1: STRING (tracked argument) 16: \x93 STACK_GLOBAL 17: S STRING 'ls' 23: \x85 TUPLE1 24: R RE...

### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/login.go#L55 There is no way for `Verify2Fa` to return an error **AND** true as `ok` at the same time, any codes are considered as valid. ### PoC Use any 6 digits as 2FA code ### Impact Bypass 2FA Authentication

### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ### Details https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35 Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution ### PoC 1. Login in to your komari instance 2. Hosting the following HTML code on internet, replace `<komari-addr>` and `<target-uuid>` into yours 3. Visit this HTML page, you can see your node is executing `uptime` without your actions ``` <pre></pre> <script> const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal"); socket.addEventListener("open", (event) => { const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' }); socket.send(binaryBlob); }); socket.addEventListener("message", (event) => { event.data.text().then(x ...

### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. ### Patches This has been fixed in slab v0.4.11. ### Workarounds Avoid using `get_disjoint_mut` with indices that might be beyond the slab's actual length, or upgrade to v0.4.11 or later. ### References - [https://github.com/tokio-rs/slab/pull/152](https://github.com/tokio-rs/slab/pull/152)

Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to the update channel subscription endpoint with an invalid request body.