#git

Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. ### Impact - Affects front-end forms with `assets` fields. - Affects other places where assets can be uploaded, although users would need upload permissions anyway. - Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. - Traversal _outside_ an asset container was not possible. ### Patches This has been fixed in 5.17.0.

A widespread social media campaign for EditProAI turns out to spread information stealers for both Windows and MacOS users.

Protect traveler data with these tips: use VPNs, manage app permissions, and secure travel documents. Travel companies should…

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

As organizations are looking to modernize their applications they are also looking for a more secure and easy-to-use application platform. Along with this move to modernization, there is a noticeable shift away from managing long-lived credentials in favor of short-term, limited privilege mechanisms that do not require active management. This has led to the rapid adoption of managed identities in Microsoft Azure, and our customers expect the same from their application platforms such as Azure Red Hat OpenShift (ARO) – a fully-managed turnkey application platform that allows organizations to

### Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. ### Details 1. setup.ts:169 [1] performs `execSync` with a command that gets invoked after interpretation by the shell. This command includes an interpolated `process.env.USER` variable, which an attacker could modify (without actually creating a new user) to inject arbitrary shell expressions into this `execSync`. This may or may not be likely in practice, but I believe the hygienic way to perform the underlying operation is to use `execFileSync` or similar and bypass the underlyin...

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.