Tag
#git
The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes. The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262
### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. ### Details Control Flow: 1. `redaxo/src/addons/mediapool/pages/index.php` reads args via `rex_request('args', 'array')` and passes them through as `$argUrl` to `media.list.php`. 2. `redaxo/src/addons/mediapool/pages/media.list.php` injects `$argUrl['args']['types']` into an HTML string without escaping: ``` if (!empty($argUrl['args']['types'])) { echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>'); } ``` ### PoC 1. Log into the REDAXO backend. 2. While authenticated, open a crafted URL like: `<host>/index.php?page=mediapool/media&args[types]="><img+src%3Dx+onerror%3Dalert%28document.domain%29>` 4. The inf...
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, a user is able to gain access to the admin dashboard interface. However, despite accessing the admin panel, the user does not have sufficient permissions to view or interact with actual data. ### PoC Intercept the login response and change "isMasterAdmin": false → "isMasterAdmin": true <img width="1405" height="567" alt="image" src="https://github.com/user-attachments/assets/7036398b-bb41-46c1-b66a-e49ec2bc3abb" /> <img width="1533" height="476" alt="2" src="https://github.com/user-attachments/assets/4efcaef5-a939-4729-be43-3af62a7d02f8" /> ### Impact The admin dashboard is viewable.
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowTextIn` inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. ### Details The OWASP java HTML sanitizer is vulnerable to XSS. This only happens when HtmlPolicyBuilder allows `noscript` & `style` tag with `allowTextIn` inside style tags. The following condition is very edge case but if users combine a HtmlPolicyBuilder with any other tags except `noscript` and allow `style` tag with `allowTextIn` inside the style tag then In this case sanitizer would be safe from XSS. This happens because how the browser also perceives `noscript` tags post sanitization. ### PoC 1. Lets create a `HtmlPolicyBuilder` which allows `p, noscript, style` html tags and allows `.allowTextIn("style")`. 2. There are two XSS payloads which very ...
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `POST /passkey/delete-passkey`. # Details `ctx.body.id` is implicitly trusted and used in passkey deletion queries. better-auth applications configured with `useNumberId` may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.
### Impact This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 85 bits \ Previously users could generate a presignature, and then choose a HD derivation path while issuing a partial signature via [`Presignature::set_derivation_path`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.set_derivation_path), which is malleable to attack that reduces target security level. To mitigate, this method has been removed from API. * Presignatures + "raw signing" (when signer signs a hash without knowing an original message): results into signature forgery attack \ Previously, users were able to configure [`Presignature::issue_partial_signature`](https://docs.rs/cggmp21/0.6.3/cggmp21/signing/struct.Presignature.html#method.issue_partial_signature) with hashed message without ever providing original mesage. In new API, this method only accepts digests for which original message has been...
### Impact cggmp21 concerns a missing check in the ZK proof that enables an attack in which a single malicious signer can reconstruct full private key. ### Patches * `cggmp21 v0.6.3` is a patch release that contains a fix that introduces this specific missing check * However, cggmp21 recommends upgrading to `cggmp24 v0.7.0-alpha.2` which contains many other security checks as a precaution. Follow [migration guideline](https://github.com/LFDT-Lockness/cggmp21/blob/v0.7.0-alpha.2/CGGMP21_MIGRATION.md) to upgrade. ### Workarounds Update to `cggmp21 v0.6.3`, a minor release that contains a minimal security patch. However, for full mitigation, users will need to upgrade to `cggmp24 v0.7.0-alpha.2` as it contains many more security check implementations. ### Resources Read this [blog post](https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained) to learn more.
### Impact Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. ### Patches Versions 1.129.1, 1.122.8, 1.110.23 ### Resources - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8 - https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23 ### Note VictoriaMetrics' security model assumes its APIs are properly secured (e.g. via access control flags or a firewall); this advisory addresses malicious input that should not be possible under a [correctly secured](https://docs.victoriametrics.com/victoriametrics/single-server-victoriametrics/#security) deployment.
### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server.The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. ### Details _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. ### PoC * Step1: The victim user starts an RPC server binding to open network using the Fugue framework. Here, I use the official RPC server code to initialize the server. * Step2: The attacker modifies the _encode()...
Artificial intelligence (AI) helps us in doing small and big things that are important in our daily lives.…