#git

Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited the vulnerability could elevate from a low integrity level up to a medium integrity level.

Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

A new Neptune RAT variant is being shared via YouTube and Telegram, targeting Windows users to steal passwords and deliver additional malware components.

### Summary Using timeit.timeit() function, which is a built-in python library function to execute remote pickle file. ### Details Pickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by calling built-in python library function like **timeit.timeit()**. And since timeit library wasn't inside unsafe globals blacklist, it may not raise red flag in the security scan. The attack payload executes in the following steps: First, the attacker craft the payload by calling to **timeit.timeit()** function from timeit library in __reduce__ method Then, inside reduce method, the attacker import dangerous libarary like os and calling **os.system()** to run OS commands, for example: curl command. And then the attacker send this malicious pickle file to the victim. Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn...

### Impact When generating an ESTree from a value with a property named `__proto__`, `valueToEstree` would generate an object that specifies a prototype instead. Example: ```js import { generate } from 'astring' import { valueToEstree } from 'estree-util-value-to-estree' const estree = valueToEstree({ ['__proto__']: {} }) const code = generate(estree) console.log(code) ``` Output: ```js { "__proto__": {} } ``` ### Patches This was fixed in version [3.3.3](https://github.com/remcohaszing/estree-util-value-to-estree/releases/tag/v3.3.3). ### Workarounds If you control the input, don’t specify a property named `__proto__`. If you don’t control the output, strip any properties named `__proto__` before passing it to `valueToEstree`.

# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. This could lead to excessive resource consumption and denial of service. ## Details The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can render gateway inoperable. ## Fix/Mitigation - A new **Query Optimization Limit** metric has been added: - This metric approximates the number of selections that cannot be skipped by the existing optimization. - The metric is checked against a limit to prevent excessive computation. Given...

# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically during named fragment expansion. This could lead to excessive resource consumption and denial of service. ## Details Named fragments were being expanded once per fragment spread during query planning, leading to exponential resource usage when deeply nested and reused fragments were involved. ## Fix/Mitigation A new **Query Fragment Expansion Limit** metric has been introduced: - This metric computes the number of selections a query would have if its fragment spreads were fully expanded. - The metric is checked against a limit to prevent excessive computation. # Patches This has been remediated in `@apollo/gateway` version 2.10.1. # Workarounds No known direct workarounds exist. # References [Query Planning Documentation](https://www.apollographql.com/docs/graphos/reference/federation/query-plans) ...

### Summary import functions are vulnerable. * [importChatflows](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/chatflows/index.ts#L219) * [importTools](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/tools/index.ts#L85) * [importVariables](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/variables/index.ts) ### Details **Authenticated user** can call importChatflows API, import json file such as `AllChatflows.json`. but Due to insufficient validation to chatflow.id in importChatflows API, 2 issues arise. **Issue 1 (Bug Type)** 1. Malicious user creates `AllChatflows.json` file by adding `../` and arbitrary path to the chatflow.id of the json file. ```json { "Chatflows": [ { "id": "../../../../../../apikey", "name": "clickme", "flowData": "{}" } ] } ``` 2. Victim download this file, and import this to flowise. 3. When victim cli...