#git

Name: ISA-2025-003: Malicious validator can spoof votes from other validators Component: tendermint-rs Criticality: High (Catastrophic Impact; Rare Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.40.2 Affected users: Everyone ### Description tendermint-rs contains a critical vulnerability in its light client implementation due to insecure handling of corrupted validator sets. Because it doesn't check that the validator address is correctly derived from the validator's public key when counting votes, it is possible to spoof votes from other validators. The result is being able to construct the malicious block and cheat the light client. The light client will accept such a block, seemingly signed by 2/3+ majority. ### Patches The new tendermint-rs release [v0.40.3](https://github.com/informalsystems/tendermint-rs/releases/tag/v0.40.3) fixes this issue. Unreleased code in the main branch is pat...

### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. ### Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. ### PoC https://gist.github.com/linhnph05/03d677b183636af206ff781bdd19701a ### Impact 1. Redirect user to another phishing site 2. Make request to another endpoint of the application based on user's cookie 3. Steal user's cookie

### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. ### PoC - First, create a file named **model.py** to create a simple model and save it ``` import bentoml import numpy as np class mymodel: def predict(self, info): return np.abs(info) def __call__(self, info): return self.predict(info) model = mymodel() bentoml.picklable_model.save_model("mymodel", model) ``` - Then run the following command to save this model ``` python3 model.py ``` - Next, create **bentofile.yaml** to build this model ``` service: "service.py" description: "A model serving service with BentoML" python: packages: - bentoml - numpy models: - tag: MyModel:latest include: - "*.py" ``` - Then, create **service.p...

A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. ### Impact This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls.

Luxembourg, Luxembourg, 9th April 2025, CyberNewsWire

GitGuardian's State of Secrets Sprawl report for 2025 reveals the alarming scale of secrets exposure in modern software environments. Driving this is the rapid growth of non-human identities (NHIs), which have been outnumbering human users for years. We need to get ahead of it and prepare security measures and governance for these machine identities as they continue to be deployed, creating an

Medusa ransomware hits NASCAR, demands $4M ransom, leaks internal files. Group also claims Bridgebank, McFarland, and Pulse Urgent Care.

Beware of deceptive Google Ads targeting QuickBooks and always confirm the website URL before logging in, as fake sites can bypass even 2FA.

### Summary An improper uploaded media ownership check can result in inadvertent deletion of media when a user is banned with content removal or purged. This can lead to deletion of media that was not uploaded by the banned/purged user. This also applies to purged communities, in which case all media posted in that community will get deleted without proper ownership check. This is limited to media with an `image/*` content-type returned by pict-rs. ### Details Lemmy did not associate users with media uploads until version 0.19.0 ([#3927](https://github.com/LemmyNet/lemmy/pull/3927)). Back when the first parts of content purging were implemented for 0.17.0 ([#1809](https://github.com/LemmyNet/lemmy/pull/1809)), it was therefore not possible to properly identify media belonging to a specific user for situations in which this data should get erased from pict-rs, Lemmy's media storage backend. Pict-rs deduplicates uploaded files transparently. As a result, it has two types of media delet...

### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.