#git

### Description A nil pointer dereference vulnerability was discovered in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. > Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. ### Technical details The vulnerability is located in `/sip/response.go` at line 242 in the `NewResponseFromRequest` function: ```go if _, ok := res.To().Params["tag"]; !ok { uuid, _ := uuid.NewRando...

## Summary An issue in the underlying router library **rou3** can cause `/path` and `//path` to be treated as identical routes. If your environment does **not** normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of `disabledPaths` and path-based rate limits. ## Details Better Auth uses **better-call**, which internally relies on **rou3** for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result: * `/sign-in/email` * `//sign-in/email` * `///sign-in/email` …all resolve to the same route. Some production setups *automatically* collapse multiple slashes. This includes: * Vercel with Nextjs (default) * Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin) In these environments and other configurations where `//path` reach Better Auth as `/path`, the issue does not apply. ## Fix Updating rou3 to the latest version resol...

### Impact A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. **Who is impacted:** All users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries: - **virtualenv users**: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths - **PyTorch users**: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures - **poetry/tox users**: through using virtualenv or filelock on their own. Attack requires local filesystem access and ability to create symlinks (standard user p...

### Impact This issue describes a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption` ). In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted. ### Patches This issue is patched in Release [10.16.1](https://pypi.org/project/pymdown-extensions/10.16.1/). ### Workarounds Some possible workarounds If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of `pymdownx.blocks.caption` could be avoided until the library is updated to 10.16.1+. ### References The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716. ### Description The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because ...

### Summary LibreDesk is vulnerable to **stored HTML injection** in the contact notes feature. When adding notes via `POST /api/v1/contacts/{id}/notes`, the backend automatically wraps user input in `<p>` tags. However, by intercepting the request and removing the `<p>` tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. --- ### Details When notes are added through the LibreDesk web application, the client sends note content wrapped inside `<p>` tags. The backend appears to **trust this HTML structure** and stores the content as-is. By intercepting the request to: ``` POST /api/v1/contacts/3/notes ``` and **removing the `<p>` wrapper**, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it. As a result: * Arbitrary HTML tags (e.g., `<form>`...

## Impact A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. ## Patches The patch escapes user controlled values that are inserted into the HTML pages. ## Workarounds None. ## Resources - https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv - https://github.com/parse-community/parse-server/pull/9985 - https://github.com/parse-community/parse-server/pull/9986

An open redirect vulnerability exists in the Account module in Volosoft ABP Framework >= 5.1.0 and < 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains.

Amazon Threat Intelligence reports Russian GRU hackers are increasingly breaking into critical infrastructure by abusing misconfigured devices instead of exploiting software vulnerabilities.

We compared three incidents that surfaced today to show why the impact of a breach depends less on who was hit and more on what was taken.

Cybersecurity researchers have discovered a new malicious NuGet package that typosquats and impersonates the popular .NET tracing library and its author to sneak in a cryptocurrency wallet stealer. The malicious package, named "Tracer.Fody.NLog," remained on the repository for nearly six years. It was published by a user named "csnemess" on February 26, 2020. It masquerades as "Tracer.Fody,"