#git

### Impact Users with access to backend forms that include a [ColorPicker FormWidget](https://wintercms.com/docs/v1.2/docs/backend/forms#color-picker) can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. By default, only the Brand Settings (backend.manage_branding) and Mail Brand Settings (system.manage_mail_templates) forms both include the colorpicker formwidget and pass the provided value to be compiled in LESS, however it is also common for themes to include it on their Theme Customization (cms.manage_theme_options) form and it is technically possible for the values on that form to also be used in LESS compilation: https://wintercms.com/docs/v1.2/docs/themes/development#asset-compiler-variables. ### Patches This issue has been patched in v1.2.4. ### Workarounds Apply https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf9...

Ubuntu Security Notice 6563-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Marcus Brinkmann discovered that Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could potentially exploit this issue to spoof an email message.

FTPDMIN version 0.96 suffers from a denial of service vulnerability.

Ultra Mini HTTPd version 1.21 suffers from a denial of service vulnerability.

If you're at high risk of being targeted by mercenary spyware, or just don't mind losing iOS features for extra security, the company's restricted mode is surprisingly usable.

By Deeba Ahmed LinkedIn users, especially employees managing pages for large corporations, must remain vigilant as the platform has become a lucrative target for cybercriminals and state-backed hackers. This is a post from HackRead.com Read the original post: Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore,

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… Continue reading → Initial Access – search-ms URI Handler

Microsoft search protocol enables clients to initiate connections against an enterprise search service such as SharePoint or WebDav. During these search connections the protocol server… Continue reading → Initial Access – search-ms URI Handler

Security researchers have detailed a new variant of a dynamic link library (DLL) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL