Tag
#git
### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries. ### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. ### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field. ## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us.
### Summary There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users. > Edit: Only the first XSS can be reproduced in production. ### Details > ✅ Verified and patched in f229cab099c69006e25d4bad3579954e481dc566 https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154 This doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6. ---- > ❌ Invalid as MediaWiki parser sanitizes dangerous HTML https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160 The documentation for [`Parser::recursiveTagParse()`](https://doc.wikimedia.org/mediawiki-core/REL1_42/php/classMediaWiki_1_1Par...
In just two years, LLMs have become standard for developers — and non-developers — to generate code, but companies still need to improve security processes to reduce software vulnerabilities.
The Indian government has published a draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation. "Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent," India's Press Information Bureau (PIB) said in a statement released Sunday. "Citizens are empowered with rights to demand data erasure,
Every tap, click, and swipe we make online shapes our digital lives, but it also opens doors—some we never meant to unlock. Extensions we trust, assistants we rely on, and even the codes we scan are turning into tools for attackers. The line between convenience and vulnerability has never been thinner. This week, we dive into the hidden risks, surprising loopholes, and the clever tricks
In 2024, cyber threats targeting SaaS surged, with 7,000 password attacks blocked per second (just in Entra ID)—a 75% increase from last year—and phishing attempts up by 58%, causing $3.5 billion in losses (source: Microsoft Digital Defense Report 2024). SaaS attacks are increasing, with hackers often evading detection through legitimate usage patterns. The cyber threat arena saw standout
An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices. "Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation,"
AI is now essential for businesses, driving efficiency, innovation, and growth. Leverage its power for better decisions, customer…
SUMMARY: Do Hyeong Kwon (Do Kwon), the 33-year-old co-founder and former CEO of Terraform Labs, has been extradited…
Researchers at Cyfirma have discovered FireScam, an Android malware disguised as 'Telegram Premium' that steals data, monitors activity, and infiltrates devices. Learn about its distribution, functionality, and the impact on user privacy.