#git

A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

### Summary A query cost restriction using the `cost-limit` can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) by naming your query/fragment `__schema`. ### Details At the start of the `computeComplexity` function, we have the following check for `ignoreIntrospection` option: ```ts if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') { return 0; } ``` However, the `node` can be `FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode` So, for example, sending the following query ```gql query hello { books { title } } ``` would create an `OperationDefinitionNode` with `node.name.value == 'hello'` The proper way to handle this would be to check for the `__schema` field, which would create a `FieldNode`. The fix is ```ts if ( this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema' && ...

### Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle (MitM) attack against services using Steve. For example, Rancher relies on Steve as a dependency for its user interface (UI) to proxy requests to Kubernetes clusters. Users who have the permission to create a service in Rancher’s local cluster can take over Rancher’s UI and display their own UI to gather sensitive information. This is only possible when the setting `ui-offline-preferred` is manually set to `remote` (by default Rancher sets it to `dynamic`). This enables further attacks such as cross-site scripting (XSS), or tampering the UI to collect passwords from other users etc. Please consult the associated [MITRE ATT&CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further infor...

### Impact A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the `known_hosts` file. This could allow the execution of a man-in-the-middle (MitM) attack against Fleet. In case the server that is being connected to has a trusted entry in the known_hosts file, then Fleet will correctly check the authenticity of the presented certificate. Please consult the associated [MITRE ATT&CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557/) for further information about this category of attack. ### Patches Patched versions include releases `v0.10.12`, `v0.11.7` and `v0.12.2`. The fix involves some key areas with the following changes: - Git latest commit fetcher sources `known_hosts` entries from the following locations, in decreasing order of priority: 1. Secret referenced in a `GitRepo`’s `clientSecretName` field; 2. ...

### Impact A vulnerability has been identified within Rancher where a user with the ability to create a project, on a certain cluster, can create a project with the same name as an existing project in a different cluster. This results in the user gaining access to the other project in the different cluster, resulting in a privilege escalation. This happens because the namespace used on the local cluster to store related resources (PRTBs and secrets) is the name of the project. Please consult the associated [MITRE ATT&CK - Technique - Privilege Escalation](https://attack.mitre.org/tactics/TA0004/) for further information about this category of attack. ### Patches Patched versions include releases `v2.11.1`, `v2.10.5`, `v2.9.9`. The fix involves the following changes: **Rancher:** - Instead of using the project name as the namespace, Rancher will instead be using a new field on the project spec called backingNamespace. If that field exists, use that for the project namespace going f...

### Impact This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version. ### Details https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ### References https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47 https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/ ### Credits Credit to [Orange Cyberdefense](https://github.com/Orange-Cyberdefense) for discovering a reporting this bug.

Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake…

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update…