#auth

The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99. In https://github.com/basecamp/trix/pull/1149, we added sanitation for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. ### Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches **Upda...

An ongoing social engineering campaign with alleged links to the Black Basta ransomware group has been linked to "multiple intrusion attempts" with the goal of conducting credential theft and deploying a malware dropper called SystemBC. "The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution,"

In K7 Ultimate Security versions prior to 17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of a null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.

Red Hat Security Advisory 2024-5316-03 - An update for krb5 is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support.

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

Red Hat Security Advisory 2024-5312-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-5309-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.

Privacy watchdog NOYB has filed complaints against X for using social media data to train its AI chatbot Grok.

Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.

Ivanti has rolled out security updates for a critical flaw in Virtual Traffic Manager (vTM) that could be exploited to achieve an authentication bypass and create rogue administrative users. The vulnerability, tracked as CVE-2024-7593, has a CVSS score of 9.8 out of a maximum of 10.0. "Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2