#js

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. ### Patches The vulnerability is fixed in wabac.js v2.23.11.

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to

### Summary In ```model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)``` in monai/bundle/scripts.py , ```weights_only=True``` is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. The following proof-of-concept demonstrates the issues that arise when loading insecure checkpoints. ``` import os import tempfile import json import torch from pathlib import Path class MaliciousPayload: def __reduce__(self): return (os.system, ('touch /tmp/hacker2.txt',)) def test_checkpoint_loader_attack(): temp_dir = Path(tempfile.mkdtemp()) checkpoint_file = temp_dir / "m...

### Summary The extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd adding: malicious.txt (stored 0%) addi...

### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default) - a symlink exists in the public directory ### Details The [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteSer...

### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - `appType: 'spa'` (default) or `appType: 'mpa'` is used This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. ### Details The [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The...

September Microsoft Patch Tuesday. A total of 103 vulnerabilities, 29 fewer than in August. Of these, 25 vulnerabilities were added between the August and September MSPT. So far, no vulnerabilities are known to be exploited in the wild. Two have public PoC exploits: 🔸 DoS – Newtonsoft.Json (CVE-2024-21907)🔸 EoP – Azure Networking (CVE-2025-54914) Notable among […]

### Summary Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. ### Details During a security evaluation of the webapp, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerabi...

The DuckDB distribution for [Node.js](http://node.js/) on [npm](https://www.npmjs.com/) was compromised with malware (along with [several other packages](https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised)). An attacker published new versions of four of duckdb’s packages that included **malicious code to interfere with cryptocoin transactions**. The following packages and versions are affected: - `@duckdb/node-api@1.3.3` - `@duckdb/node-bindings@1.3.3` - `duckdb@1.3.3` - `@duckdb/duckdb-wasm@1.29.2` > Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). We do not plan to ever release a “legit” DuckDB 1.3.3. Users should double-check that they are not accidentally updating to those affected versions. We have ourselves noticed this *within four hours* of it happening. Here’s our response: - As an immediate response, we have **deprecated** the specific versions. - We have reached...

**I am running SQL Server on my system. What action do I need to take?** Update your relevant version of SQL Server. Any applicable driver fixes are included in those updates. **There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?** * First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185 - How to determine the version, edition, and update level of SQL Server and its components. * Second, in the following table, locate your version number or the version range that your version number falls within. The corresponding update is the one you need to install. **Note** If your SQL Server version number is not represented in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product to apply this and future security updates. Update Number T...