#git

### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. ### Patches Users should upgrade to Taguette 1.5.0. ### References - https://gitlab.com/remram44/taguette/-/issues/330

A global AWS outage disrupted major apps and services across regions before being fully mitigated, exposing heavy dependence on cloud infrastructure.

### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. ### Patches Users should upgrade to Taguette 1.5.0. ### References - https://gitlab.com/remram44/taguette/-/issues/331

### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3...

### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` (Which in this version of node is an alias for `console.log`). This is exposing sensitive information in log files including, but not limited to: - Gocardless bearer tokens. - Account IBAN and Bank Account numbers. - PII of the account holder. - Transaction details (Payee bank information, Recipient account numbers, Transaction IDs)... ### Details Whenever GoCardless responds to a request, the payload is printed to the debug log: https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L25-L27 This in turn logs the following information to Docker (all values removed here. These fields are possibly dependent on what is returned by each institution so may differ): ```json { "account": { "resourceId": "", "iban": "", "bban": "", ...

### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interface. If application code directly imports `set` from `rollbar/src/utility` and then calls `set` with untrusted input in the second argument, it is vulnerable to prototype pollution. POC: ```js const obj = {}; require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable"); console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':''); ``` ### Patches Fixed in version 2.26.5 and 3.0.0-beta5. ### Workarounds If application code directly imports `set` from `rollbar/src/utility`, ensure that the second argument does not receive untrusted input. ### References https://github.com/rollbar/rollbar.js/issues/1333#issuecomment-3353720946

### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. ### Details In the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML. ### PoC 1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `<img src="" onerror="alert('Sticky Header Button XSS')">`. 2. Visit any mainpage article in the wiki using the Citizen skin. <img width="495" height="228" alt="image" src="https://github.com/user-attachme...

Chinese gangs are using US SIM farms and money mules to run industrial-scale text scams that steal and launder Americans’ card data.

It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect. Here’s a quick look at this week’s top threats, new tactics, and security stories shaping

ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches.  ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage.  The name is a little misleading, though