Tag
#git
Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.
The default authentication service misses to invalidate empty strings as password. Therefore it is possible to authenticate backend and frontend users without password set in the database. Note: TYPO3 does not allow to create user accounts without a password. Your TYPO3 installation might only be affected if there is a third party component creating user accounts without password by directly manipulating the database.
### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. ### PoC 1. Generate a pdf file with a malicious script in the fontmatrix. (This will run `alert(‘XSS’)`.) [poc.pdf](https://github.com/user-attachments/files/15516798/poc.pdf) 2. Run the app. In this PoC, I've used the demo for a simple proof.  3. Upload a PDF file containing the script.  4. Check that the script is running.  ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, e...
### Impact Digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. ### Patches New versions for the Aimeos HTML client 2020-2024 are available
Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.
### Impact User with administrative privileges and upload files that look like images but contain PHP code which can then be executed in the context of the web server.
### Impact All users of url-to-png. Please see https://github.com/jasonraimondi/url-to-png/issues/47 ### Patches [v2.0.3](https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3) requires input url to be of protocol `http` or `https` ### Workarounds Requires upgrade. ### References - https://github.com/jasonraimondi/url-to-png/issues/47 - https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf
### Summary PIMCore uses the JavaScript library jQuery in version 3.4.1. This version is vulnerable to cross-site-scripting (XSS). ### Details In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Publish Date: 2020-04-29 URL:= https://security.snyk.io/package/npm/jquery/3.4.1
This post was authored by Kalpesh Mantri. Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware. These campaigns, active since the second week of
HyperCycle enhances AI safety and efficiency with cryptographic proofs and peer-to-peer nodes. HyperShare supports decentralized governance and income…