#git

### Summary Multiple Stored XSS can be triggered by the breadcrumb list and title fields with user input. ### Details 1. In the **/admin/categories** page, category title isn't sanitized and triggered xss. 2. In the category edit page under the **/admin/categories/**, category title in breadcrumb list isn't sanitized and triggered xss. 3. In the **/admin/entries** page, entry title isn't sanitized and triggered xss. 4. In the entry edit page under the **/admin/entries/**, entry title in breadcrumb list isn't sanitized and triggered xss. 5. In the **/admin/myaccount** and pages under it, username or full name in breadcrumb list isn't sanitized and triggered xss. ### Impact Malicious users can tamper with the control panel. ### PoC #### 1. In the **/admin/categories** page, category title isn't sanitized and triggered xss. ``` 1. Access to the Settings -> Categories ( /admin/settings/categories ) 2. Create new category group 3. Access to the Categories page ( /admin/categories/ ) 4. P...

Httpful has Insecure HTTPS Connections due to Missing Default Certificate Validation

### Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately. ### Details js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used by the `/flash/addcrypted2` API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE. ### PoC The PoC is provided as `poc.py` below, you can modify the shell command it execute: ```python import socket import base64 from urllib.parse import quote host, port = input("host: "), int(input("port: ")) payload = """ // [+] command goes here: let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;" let hacked, bymarve, n11 let getattr, obj hacked = Object.getOwnPropertyNames({}) bymarve = hacked.__get...

### Details The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49). It also has path/update verb of validatingwebhookconfigurations resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27). As a result, if a malicious user can access the worker node which has this deployment. he/she can: 1. For the "get/list secrets" permission, he/she can abuse the SA token of this deployment to retrieve or get ALL secrets in the whole cluster, including the cluster-admin secret if created. After that, he/she can abuse the cluster-admin secret to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. 2. Fo...

This week on the Lock and Code podcast, we speak with Eva Galperin about the arrest of Telegram's CEO and how it impacts security and privacy.

Improper sanitization of the value of the `[srcset]` attribute in `<source>` HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

Improper sanitization of the value of the `[srcset]` attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versions 1.3.0-rc.4 and greater. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

The proliferation of cybersecurity tools has created an illusion of security. Organizations often believe that by deploying a firewall, antivirus software, intrusion detection systems, identity threat detection and response, and other tools, they are adequately protected. However, this approach not only fails to address the fundamental issue of the attack surface but also introduces dangerous

The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia. "This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a

xAI's generative AI tool, Grok AI, is unhinged compared to its competitors. It's also scooping up a ton of data people post on X. Here's how to keep your posts out of Grok—and why you should.