Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-9v8m-qv22-f268: Umbraco Forms's Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length

### Impact Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. ### Patches Patched in 8.13.16, 10.5.7, 13.2.2, 14.1.2

ghsa
Open in Source
#git
GHSA-86c2-4x57-wc8g: Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

### Description The [Git credential protocol](https://git-scm.com/docs/git-credential#IOFMT) is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys[^1] or values. When Git reads from standard input, it considers both LF and CRLF[^2] as newline characters for the credential protocol by virtue of [calling `strbuf_getline`](https://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311) that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library [`StreamReader`](https://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0) class t...

Blockchain in cybersecurity: opportunities and challenges 

Cybersecurity is facing new challenges with advances in AI, cloud tech, and increasing cyber threats. Solutions like blockchain…

Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.

GHSA-vgf2-gvx8-xwc3: Vyper Does Not Check the Success of Certain Precompile Calls

### Summary When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. ### Details #### The relevant precompiles ##### EcRecover EcRecover is used in vyper's `ecrecover` built-in. As the precompile consumes 3000 gas, any execution after an out-of-gas EcRecover call has at most 47 gas left. ##### Identity - The Identity precompile is used in vyper to perform memory copy operations. As its cost is variable, a variable amount of gas might be left after a fai...

GHSA-j2jg-fq62-7c3h: Gradio Blocked Path ACL Bypass Vulnerability

## Summary Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. ## Affected Version Gradio <= 5.6.0 ## Impact - **Unauthorized Access**: Sensitive files or directories specified in `blocked_paths` can be accessed by attackers. - **Data Exposure**: Critical files, such as configuration files or use...

GHSA-2fx5-pggv-6jjr: TYPO3 Potential Open Redirect via Parsing Differences

### Problem Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. ### Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. ### Credits Thanks to Sam Mush who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue. ### References * [TYPO3-CORE-SA-2025-002](https://typo3.org/security/advisory/typo3-core-sa-2025-002)

New Startups Focus on Deepfakes, Data-in-Motion &amp; Model Security

In times of unprecedented change, innovative mindsets and attentiveness of startup culture make for a community everyone can leverage to understand the world and guard against its dangers.

Hackers Using Fake YouTube Links to Steal Login Credentials

Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI manipulation and…

AI, Web3 and Decentralization: Tech Trends Shaping 2025’s Altcoin Season

Prepare for the 2025 altcoin season: experts predict rising interest in altcoins like WorldCoin, driven by Web3, blockchain,…