#git

### Impact In the implementation of version `0.0.1`, requests from different user clients are processed using a shared `httpx.AsyncClient`. However, one oversight is that the `httpx.AsyncClient` will persistently store cookies based on the `set-cookie` response header sent by the target server and share these cookies across different user requests. This results in a cookie leakage issue among all user clients sharing the same `httpx.AsyncClient`. ### Patches It's fixed in `0.1.0` ### Workarounds If you insist `0.0.1`: - Do not use `ForwardHttpProxy` at all. - Do not use `ReverseHttpProxy` or `ReverseWebSocketProxy` for any servers that may potentially send a `set-cookie` response. **However, it's best to upgrade to the latest version.** ### References fixed in [#10](https://github.com/WSH032/fastapi-proxy-lib/pull/10)

### Impact A flaw was discovered in OpenSearch, affecting the `_search` API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. The issue was identified by Elastic Engineering and corresponds to security advisory [ESA-2023-14](https://discuss.elastic.co/t/elasticsearch-8-9-1-7-17-13-security-update/343297) (CVE-2023-31419). ### Mitigation Versions 1.3.14 and 2.11.1 contain a fix for this issue. ### For more information If you have any questions or comments about this advisory, please contact AWS/Amazon Security via our issue reporting page (https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

### Impact A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. ### Patches - A patch has been applied to the dpaste GitHub repository to address the specific content value injection vulnerability. - Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. - The patch can be viewed and applied from the following link: [dpaste Commit Patch](https://github.com/DarrenOfficial/dpaste/commit/44a666a79b3b29ed4f340600bfcf55113bfb7086.patch) ### Workarounds At this time, the recommended course of action is to apply the provided patch to the affected systems. No known workarounds have been ident...

Senayan Library Management Systems (Slims) 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/fines_report.php.

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

WBCE CMS version 1.6.1 suffers from a remote shell upload vulnerability.

Cross-site Scripting (XSS) - Reflected in GitHub repository viliusle/minipaint prior to 4.14.0.

Domain fronting is a technique to hide the true origin of HTTPS requests by hiding the real domain name encrypted inside a legitimate TLS request.