Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-547m-23x7-cxg5: PaddlePaddle null pointer dereference in paddle.nextafter

Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

ghsa
Open in Source
#dos#git
GHSA-mr78-v55p-7777: PaddlePaddle segfault in paddle.mode

OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

GHSA-2wcj-qr76-9768: PaddlePaddle segfault in paddle.put_along_axis

Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

GHSA-xjpw-hx47-rccv: PaddlePaddle floating point exception in paddle.nanmedian

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.

GHSA-wjc4-73q6-gv3m: plotly.js prototype pollution vulnerability

In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.

Defunct Ambulance Service Data Breach Impacts Nearly 1 Million People

By Waqas The targeted victim of this data breach is Fallon Ambulance Services, which is a subsidiary of Transformative Healthcare. This is a post from HackRead.com Read the original post: Defunct Ambulance Service Data Breach Impacts Nearly 1 Million People

Oops! Black Basta ransomware flubs encryption

Researchers have found a flaw in the Black Basta ransomware encryption algorithm, allowing decryption of some files.

Navigating the Complex World of Capital Markets with Technology

By Owais Sultan The world of capital markets has changed dramatically over the past few years. Today, most transactions are conducted… This is a post from HackRead.com Read the original post: Navigating the Complex World of Capital Markets with Technology

DNA data deserves better, with Suzanne Bernstein: Lock and Code S05E01

This week on the Lock and Code podcast, we speak with Suzanne Bernstein about DNA privacy and protecting data from hackers.

GHSA-ghm2-rq8q-wrhc: Potential Actions command injection in output filenames (GHSL-2023-275)

### Summary The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. ### Details The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` and \` (backtick) which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands an attacker may be able to steal **secrets** such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. For example on `push`. #### Proof of Concept 1. Submit a pull request to ...