#git

Shuttle Booking Software version 1.0 suffers from multiple remote SQL injection vulnerabilities.

novel-plus 3.6.2 is vulnerable to SQL Injection.

An issue was discovered in MmMapIoSpace routine in Foxconn Live Update Utility 2.1.6.26, allows local attackers to escalate privileges.

BASupSrvcUpdater.exe in N-able Take Control Agent through 7.0.41.1141 before 7.0.43 has a TOCTOU Race Condition via a pseudo-symlink at %PROGRAMDATA%\GetSupportService_N-Central\PushUpdates, leading to arbitrary file deletion.

### Impact Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. Affected applications are any that use: * A custom `query_builder` option to limit the valid results; AND * An `EntityType` with `'autocomplete' => true` or a custom [AsEntityAutocompleteField](https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax). Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with `query_builder`. ### Patches The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2. ### Workarounds Upgrade to version 2.11.2 or greater of `symfony/ux-autocomplete` or perform extra validation after submit to verify the selected option is valid.

A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' accounts. "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage

An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.

### Impact An issue was found in RKE2 where an attacker with network access to RKE2 servers' supervisor port (TCP 9345) can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an `excessive message size` error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the supervisor port (TCP 9345). Affected servers will continue to operate, but clients (server or agent nodes) will fail to establish new connections when joining or rejoining the cluster, thus leading to a denial of service (DoS) attack. ### Remediation Upgrade to a fixed release: - v1.28.1+rke2r1 - v1.27.5+rke2r1 - v1.26.8+rke2r1 - v1.25.13+rke2r1 - 1.24.17+rke2r1 If you are using RKE2 1.27 or earlier, you must also add the parameter `tls-san-se...

### Impact An issue was found in K3s where an attacker with network access to K3s servers' apiserver/supervisor port (TCP 6443) can force the TLS server to add entries to the certificate's Subject Alternative Name (SAN) list, through a stuffing attack, until the certificate grows so large that it exceeds the maximum size allowed by TLS client implementations. OpenSSL for example will raise an `excessive message size` error when this occurs. No authentication is necessary to perform this attack, only the ability to perform a TLS handshake against the apiserver/supervisor port (TCP 6443). Affected servers will continue to operate, but clients (including both external administrative access with `kubectl` and server or agent nodes) will fail to establish new connections, thus leading to a denial of service (DoS) attack. ### Remediation Upgrade to a fixed release: - v1.28.1+k3s1 - v1.27.5+k3s1 - v1.26.8+k3s1 - v1.25.13+k3s1 - v1.24.17+k3s1 If you are using K3s 1.27 or earlier, you mus...

By ghostadmin Crypto bot trading is the use of automated software to buy and sell cryptocurrencies. These bots are programmed… This is a post from HackRead.com Read the original post: Crypto Bot Trading: What It Is and Successful Strategies