#git

### Description In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property policy and the `__isset()` method is now called after the security check. **This is a BC break.** ### Resolution The sandbox mode now ensures access to array-like's properties is allowed. The patch for this issue is available [here](https://github.com/twigphp/twig/commit/249615d3bfc3ce1672815a265458c0bcf8f7cc61) for branch 3.11.x. ### Credits We would like to thank Jamie Schouten for reporting the issue and Nicolas Grekas for providing the fix.

### Description In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). ### Resolution The sandbox mode now checks the `__toString()` method call on all objects. The patch for this issue is available [here](https://github.com/twigphp/twig/commit/407647c1036518c90b0188bb31b55f19ca84c328) for branch 3.x. ### Credits We would like to thank Jamie Schouten for reporting the issue and Fabien Potencier for providing the fix.

Omdia Principal Analyst Hollie Hennessy says that until a promising new set of regulations around the world comes online, connected device security entails a shared responsibility among consumers, enterprises, and manufacturers.

Gentoo Linux Security Advisory 202411-5 - Multiple vulnerabilities have been discovered in libgit2, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.7.2 are affected.

Ubuntu Security Notice 7088-3 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

Global Blockchain Scams Surge on BASE and Across Networks, Trugard Labs Reports.

An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to

INTERPOL with global law enforcement and Group-IB, successfully dismantled a vast network of malicious IP addresses and servers.…

### Summary Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. ### Details All endpoints, apart from the /Authentication is affected by the vulnerability. The vulnerability allows unauthenticated users to access all API functionality. You can look for the following pattern in the logs to check if the vulnerabilty was exploited:  Note that the url starts with v and contains a valid CodeChecker endpoint, but it ends in `Authentication`, `Configuration` or `ServerInfo` and it was made by an `Anonymous` user. ### Impact This authentication bypass allows querying, adding, changing, and deleting Products contained on the CodeChecker server, without authentication, by an anonymous user....