Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-8498-2h75-472j: Django denial-of-service in django.utils.html.strip_tags()

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

ghsa
Open in Source
#vulnerability#web#dos#auth
Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject)

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

GHSA-6c5q-fg3g-qhhv: LibreNMS stored cross-site scripting (XSS) vulnerability in the Device Settings section

A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.

GHSA-r6wx-627v-gh2f: Directus has an HTML Injection in Comment

### Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. ### Details The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint. Example Request: ``` PATCH /activity/comment/3 HTTP/2 Host: directus.local { "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>" } ``` Example Response: ```json { "data": { "id": 3, "action": "comment", "user": "288fdccc-399a-40a1-ac63-811bf62e6a18", "timestamp": "2023-09-06T02:23:40.740Z", "ip": "10.42.0.1", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "collection": "directus_files", "item": "7247dda1-c386-4e7a-...

Library of Congress Offers AI Legal Guidance to Researchers

Researchers testing generative AI systems can use prompt injection, re-register after being banned, and bypass rate limits without running afoul of copyright law.

Russia's 'BlueAlpha' APT Hides in Cloudflare Tunnels

Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.

Bypass Bug Revives Critical N-Day in Mitel MiCollab

A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.

Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges

At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.

LLMs Raise Efficiency, Productivity of Cybersecurity Teams

AI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity wins "Hot Company: Privileged Access Management" at the 12th Cyber Defense Magazine InfoSec Innovator Awards, showcasing PAM excellence in cybersecurity.