Tag
## Summary and impact [`GoogleOAuthenticator.hosted_domain`] is used to restrict what Google accounts can be authorized to access a JupyterHub. The restriction _is intended_ to ensure Google accounts are part of one or more Google organizations/workspaces verified to control specified domain(s). The vulnerability is that the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023. ## Remediation Upgrade to `oauthenticator>=16.3.0` or restrict who can login another way, such as [`allowed_users`] or [`allowed_google_groups`]. [`GoogleOAuthenticator.hosted_domain`]: https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.google.html#oauthenticator.google.GoogleOAuthenticator.hosted_domain [`allowed_users`]: https://oauthenticat...
There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak.
Ubuntu Security Notice 6702-1 - It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service. It was discovered that the ARM Mali Display Processor driver implementation in the Linux kernel did not properly handle certain error conditions. A local attacker could possibly use this to cause a denial of service.
By Daily Contributors Last week, Charles Dray from Resonance Security organized a meeting for me with Davide Vicini, the CEO of Freename, which is a company in… This is a post from HackRead.com Read the original post: Owning Versus Renting – The Circumstances of Web3 Domains
Tramyardg Autoexpress version 1.3.0 suffers from a persistent cross site scripting vulnerability.
Tramyardg Autoexpress version 1.3.0 allows for authentication bypass via unauthenticated API access to admin functionality. This could allow a remote anonymous attacker to delete or update vehicles as well as upload images for vehicles.
Tramyardg Autoexpress version 1.3.0 suffers from a remote SQL injection vulnerability.
Quick.CMS version 6.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
A manager at an unnamed telecommunications company has admitted to SIM swapping his customers.
UPS Network Management Card version 4 suffers from a path traversal vulnerability.