Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-6433-x5p4-8jc7: libxmljs vulnerable to type confusion when parsing specially crafted XML

libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).

ghsa
Open in Source
#vulnerability#dos#js#git#rce
GHSA-78h3-pg4x-j8cv: libxmljs vulnerable to type confusion when parsing specially crafted XML

libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which invokes `XmlNode::get_local_namespaces()`) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.

GHSA-mg49-jqgw-gcj6: libxmljs vulnerable to type confusion when parsing specially crafted XML

libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which invokes `_wrap__xmlNode_nsDef_get()`) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.

GHSA-wccg-v638-j9q2: karmada vulnerable to arbitrary code execution via a crafted command

An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Dropbox Sign customer data accessed in breach

After a breach in the Dropbox Sign environment, customer information may have been stolen and API users have restricted functionality

GHSA-xv64-8p4r-94gq: pgAdmin Cross-site Scripting vulnerability in /settings/store API response json payload

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end.

GHSA-4q63-mr2m-57hf: kubevirt allows a local attacker to execute arbitrary code via a crafted command

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.

GHSA-2mvc-557g-5638: pgAdmin is affected by a multi-factor authentication bypass vulnerability

pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files and executing SQL queries, regardless of the account’s MFA enrollment status.

What can we learn from the passwords used in brute-force attacks?

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.”