#git

From communal effort to legal mandateThe world runs on open source. From the applications you use daily to the critical infrastructure powering our society, open source software is ubiquitous. However, this widespread adoption has brought with it an escalating need for robust security, a reality starkly highlighted by incidents like SolarWinds and the more recent XZ Utils vulnerability. While the open source community often demonstrates remarkable resilience and collaboration in addressing threats, a significant shift in responsibility is now underway, driven in part by legislation, such as th

## Summary When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. ## Details The Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob. Relevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adap...

A series of corporate leaks show that Chinese technology companies function far more like their Western peers than one might imagine.

With legit sounding names, EvilAI's "productivity" apps are reviving classic threats like Trojans while adding new evasion capabilities against modern antivirus defenses.

Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware.

### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. ### Patches Upgrade to Flask-AppBuilder version 4.8.1 or later ### Workarounds If immediate upgrade is not possible: - Manually disable password reset routes in the application configuration - Implement additional access controls at the web server or proxy level to block access to the reset my password URL. - Monitor for suspicious password reset attempts from disabled accounts

A phishing scam is exploiting Google’s trusted AppSheet platform to bypass email filters. Learn how hackers are using…

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content. To that end, support for C2PA's Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media

Many state departments are warning about scam text messages targeting motorists. Here's how you can recognize them.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable locally Vendor: Siemens Equipment: SIMOTION Tools Vulnerability: Improper Check for Unusual or Exceptional Conditions 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0): All versions SIMOTION OA MIIF (6AU1820-3DA20-0AB0): All versions SIMOTION OACAMGEN (6AU1820-3EA20-0AB0): All versions...