#git

### Summary A bug in GitHub's Artifact Attestation CLI tool, `gh attestation verify`, may return an incorrect zero exit status when no matching attestations are found for the specified `--predicate-type <value>` or the default `https://slsa.dev/provenance/v1` if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure. Users are advised to update `gh` to version `v2.67.0` as soon as possible. Initial report: https://github.com/cli/cli/issues/10418 Fix: https://github.com/cli/cli/pull/10421 ### Details The gh attestation verify command fetches, loads, and attempts to verify attestations associated with a given artifact for a specified predicate type. If an attestation is fo...

Veriti Research reported a developing cyber threat campaign centred around the declassification and release of the RFK, MLK…

## Description Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. ## Steps to reproduce ...

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

CyberArk announces the Zilla deal on the same day leading identity service provider SailPoint returns to the public markets.

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

Russian GRU-linked hackers exploit known software flaws to breach critical networks worldwide, targeting the United States and the…

Scammers are once again using AI to take over Gmail accounts.

A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.