#auth

### Summary A prototype pollution in derby can crash the application, if the application author has atypical HTML templates that feed user input into an object key. Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most applications. ### Details ``` emit(context: Context, target: T) { const node = traverseAndCreate(context.controller, this.segments); node[this.lastSegment] = target; this.addListeners(target, node, this.lastSegment); } ``` The emit() function in src/templates/templates.ts is called without sanitizing the variable `this.lastSegment `. The variable `this.lastSegment ` can be set to `__proto__`, and this will pollute the prototype of Javascipt Object (`node['__proto__'] = target`). ### PoC To reproduce this vulnerability, you can adjust the test case `ignores DOM mutations in components\' create()` in `test/dom/ComponentHarness.mocha.js`. ``` it('ignores DOM mutations in components\' ...

"Kapeka" and "Fuxnet" are the latest examples of malware to emerge from the long-standing conflict between the two countries.

Once attackers have control over a workload in the cluster, they can leverage access for lateral movement both inside the cluster and to external resources.

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session.

A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection. Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security.

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

Users will need to download the latest version of Ivanti's Avalanche to apply fixes for all of the bugs.

### Impact _What kind of vulnerability is it? Who is impacted?_ Using the vesting module, a malicious attacker can create a new vesting account at a given address, before a contract is created on that address. Addresses of smart contracts deployed to the EVM are deterministic. Therefore, it would be possible for an attacker to front-run a contract creation and create a vesting account at that address. When an address has been initialized without any contract code deployed to it, it will not be possible to upload any afterwards. In the described attack, this would mean that a malicious actor could prevent smart contracts from being deployed correctly. In order to remediate this, an alternative user flow is being implemented for the vesting module: - only the account receiving the vesting funds will be able to create such an account by calling the `CreateClawbackVestingAccount` method and defining a funder address - vesting and lockup periods can then be created by that funder addres...