#git

SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.

Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.

## Overview sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr. ## Who does this affect? Almost anyone processing untrusted input with versions of sharp prior to 0.32.6. ## How to resolve this? ### Using prebuilt binaries provided by sharp? Most people rely on the prebuilt binaries provided by sharp. Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2. ### Using a globally-installed libvips? Please ensure you are using the latest libwebp 1.3.2. ## Possible workaround Add the following to your code to prevent sharp from decoding WebP images. ```js sharp.block({ operation: ["VipsForeignLoadWebp"] }); ```

A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. "Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG) said in a report shared with The Hacker News. The flaw, tracked as CVE-2023-37580 (CVSS score:

Signal’s president reveals the cost of running the privacy-preserving platform—not just to drum up donations, but to call out the for-profit surveillance business models it competes against.

A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /`ckeditor/samples/old/ajax.html` file and retrieve an authorized user's information.

The threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS)