Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-g9gq-3pfx-2gw2: OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization

### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. ### Details The OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows `noscript` & `style` tag with `allowTextIn` inside style tags. The following condition is very edge case but if users combine a HtmlPolicyBuilder with any other tags except `noscript` and allow `style` tag with `allowTextIn` inside the style tag then In this case sanitizer would be safe from XSS. This happens because how the browser also perceives `noscript` tags post sanitization. ### PoC 1. Lets create a `HtmlPolicyBuilder` which allows `p, noscript, style` html tags and allows `.allowTextIn("style")`. 2. There are two XSS payloads which very ...

ghsa
Open in Source
#xss#vulnerability#google#git#java#maven
GHSA-4vcf-q4xf-f48m: Better Auth Passkey Plugin allows passkey deletion through IDOR

# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `POST /passkey/delete-passkey`. # Details `ctx.body.id` is implicitly trusted and used in passkey deletion queries. better-auth applications configured with `useNumberId` may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.

GHSA-8frv-q972-9rq5: cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures

### Impact This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via [`Presignature::set_derivation_path`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.set_derivation_path), which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API. * Presignatures + "raw signing" (when signer signs a hash without knowing an original message): results into signature forgery attack \ Previously, users were able to configure [`Presignature::issue_partial_signature`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.issue_partial_signature) with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been...

GHSA-m95p-425x-x889: cggmp21 has a missing check in the ZK proof used in CGGMP21

### Impact cggmp21 concerns a missing check in the ZK proof that enables an attack in which a single malicious signer can reconstruct full private key. ### Patches * `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check * However, cggmp21 recommends upgrading to `cggmp24 v0.7.0-alpha.2` which contains many other security checks as a precaution. Follow [migration guideline](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade. ### Workarounds Update to `cggmp21 v0.6.3`, a minor release that contains a minimal security patch. However, for full mitigation, users will need to upgrade to `cggmp24 v0.7.0-alpha.2` as it contains many more security check implementations. ### Resources Read this [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.

GHSA-66jq-2c23-2xh5: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM

### Impact Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. ### Patches Versions 1.129.1, 1.122.8, 1.110.23 ### Resources - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23 ### Note VictoriaMetrics' security model assumes its APIs are properly secured (e.g. via access control flags or a firewall); this advisory addresses malicious input that should not be possible under a [correctly secured](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#security) deployment.

GHSA-xv5p-fjw5-vrj6: Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer

### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server.The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. ### Details _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. ### PoC * Step1: The victim user starts an RPC server binding to open network using the Fugue framework. Here, I use the official RPC server code to initialize the server. * Step2: The attacker modifies the _encode()...

Can We Trust AI with Our Cybersecurity? The Growing Importance of AI Security

Artificial intelligence (AI) helps us in doing small and big things that are important in our daily lives.…

GHSA-w66h-j855-qr72: GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format

### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. ### Details The WMS service setting that controls HTML auto-escaping is either disabled by default, or completely missing, in the affected versions (see workarounds). ### Impact If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: 1. Perform any action within the application that the user can perform. 2. View any information that the user is able to view. 3. Modify any information that the user is able to modify. 4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. ### Workarounds Changing any of the following WMS service sett...

New ClickFix wave infects users with hidden malware in images and fake Windows updates

ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands.