#git

Google is rolling out an end-to-end encrypted email feature for business customers, but it could spawn phishing attacks, particularly in non-Gmail inboxes.

Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.

Blue Shield of California said it accidentally leaked the personal data of 4.7 million individuals to Google after a Google Analytics misconfiguration.

With the rise of fintechs, accuracy alone isn’t enough, security and reliability are just as necessary. For fintech…

Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in…

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks bot, even without channel access or appropriate permissions.

Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts, overloading the server and leading to a denial-of-service (DoS) condition.

# Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-93mv-x874-956g. This link is maintained to preserve external references. # Original Description The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.

## Summary This vulnerability only apply when running on a Windows OS. An unsafe conversion of arguments allows the injection of a malicous commands when starting `yt-dlp` from a commands prompt. > [!CAUTION] > **NOTE THAT DEPENDING ON THE CONTEXT AND WHERE THE LIBRARY IS USED, THIS MAY HAVE MORE SEVERE CONSEQUENCES. FOR EXAMPLE, A USER USING THE LIBRARY LOCALLY IS A LOT LESS VULNERABLE THAN AN ASP.NET APPLICATION ACCEPTING INPUTS FROM A NETWORK/INTERNET.** ## Details The vulnerability have been implemented in a commit (https://github.com/Bluegrams/YoutubeDLSharp/commit/fdf3256da18d0e2da4a2f33ad4a1b72ff8273a50) 3 year ago to fix a issue with unicode characters on Windows. ( In the latest version at the time of writing this, the code seems to have moved here : https://github.com/Bluegrams/YoutubeDLSharp/blob/b2f7968a2ef06a9c7b2c212785cfeac0b187b6d8/YoutubeDLSharp/YoutubeDLProcess.cs#L87 ) In this commit, a new way of starting yt-dlp was implemented, method that was defined as the de...