#git

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.

### Impact The issue is that the map of encoding/decoding languages are visible in code. ### Patches The problem was patched in 0.2.4. ### Workarounds The only known workaround is apply the fix to the code manually.

### Impact ZITADEL administrators can enable a setting called "Ignoring unknown usernames" which helps mitigate attacks that try to guess/enumerate usernames. If enabled, ZITADEL will show the password prompt even if the user doesn't exist and report "Username or Password invalid". Due to a implementation change to prevent deadlocks calling the database, the flag would not be correctly respected in all cases and an attacker would gain information if an account exist within ZITADEL, since the error message shows "object not found" instead of the generic error message. ### Patches 2.x versions are fixed on >= [2.58.1](https://github.com/zitadel/zitadel/releases/tag/v2.58.1) 2.57.x versions are fixed on >= [2.57.1](https://github.com/zitadel/zitadel/releases/tag/v2.57.1) 2.56.x versions are fixed on >= [2.56.2](https://github.com/zitadel/zitadel/releases/tag/v2.56.2) 2.55.x versions are fixed on >= [2.55.5](https://github.com/zitadel/zitadel/releases/tag/v2.55.5) 2.54.x versions are fi...

### Impact ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker, without privileges, could send out altered notifications that are part of the registration processes. An attacker could create a malicious link, where the injected code would be rendered as part of the email. During investigation of this issue a related issue was found and mitigated, where on the user's detail page the username was not sanitized and would also render HTML, giving an attacker the same vulnerability. While it was possible to inject HTML including javascript, the execution of such scripts would be prevented by most email clients and the Content Security Policy in Console UI. ### Patches 2.x versions are fixed on >= [2.58.1](https://github.com/zitadel/zitadel/releases/tag/...

### Impact An open redirect vulnerability exist in MobSF authentication view. PoC 1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. 2. Enter credentials and press "Sign In". 3. You will be redirected to [afine.com](http://afine.com/) Users who are not using authentication are not impacted. ### Patches Update to MobSF v4.0.5 ### Workarounds Disable Authentication ### References Fix: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8 ### Reporter Marcin Węgłowski

### Impact It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. ### Affected Methods - In the `DefaultIdentityServerInteractionService`, the `GetAuthorizationContextAsync` method may return non-null and the `IsValidReturnUrl` method may return true for malicious Urls, indicating incorrectly that they can be safely redirected to. _UI code calling these two methods is the most commonly used code path that will expose the vulnerability. The default UI templates rely on this behavior in the Login, Challenge, and Consent pages. Customized user interface code might also rely on this behavior. The following uncommonly used APIs are also vulnerable:_ - The `ServerUrlExtensions.GetIdentityServerRelativeUrl`, `ReturnUrlParser.ParseAsync` and `OidcReturnUrlParser.ParseAsync` methods may incorrectly re...

Malicious actors could potentially exploit this vulnerability if they gain physical access to a user's device.

The sustained cyberattack, likely made worse by a mitigation snafu, disrupted several Azure cloud services for nearly eight hours on July 30.