#perl

The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

### Summary When `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invoking user is used for authentication. `sudo-rs` prior to 0.2.10 incorrectly recorded the invoking user’s UID instead of the authenticated-as user's UID in the authentication timestamp. Any later `sudo` invocation on the same terminal while the timestamp was still valid would use that timestamp, potentially bypassing new authentication even if the policy would have required it. ### Impact A highly-privileged user (able to run commands as other users, or as root, through sudo) who knows one password of an account they are allowed to run commands as, would be able to run commands as any other account the policy permits them to run commands for, even if they don't know the password for those accounts. A common instance of this would be that a user can still use their own password to run commands as root (the default behaviour of `sudo`), effectiv...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: LOGO! 8 BM Devices Vulnerabilities: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code remotely, put the device into a denial-of-service state, or change the behavior of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: LOGO! 12/24RCE (6ED1052-1MD08-0BA2): All versions SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2): All versi...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Altair Grid Engine Vulnerabilities: Generation of Error Message Containing Sensitive Information, Uncontrolled Search Path Element 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and execute arbitrary code with superuser permissions. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Altair Grid Engine are affected: Altair Grid Engine: All versions prior to V2026.0.0 3.2 VULNERABILITY OVERVIEW 3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209 Affected products do not ...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Solid Edge Vulnerability: Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform man in the middle attacks. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Solid Edge SE2025: All versions prior to V225.0 Update 11 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295 Affected applications do not properly validate client certificates to connect to License Service endpoint. This c...

### Description The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. ### Resolution The `Request` class now ensures that URL paths always start with a `/`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac) for branch 5.4. ### Credits We would like to thank Andrew Atkinson for discovering the issue, Chris Smith for reporting it and Nicolas Grekas for providing the fix.

### Impact Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Wasmtime has a `wasmtime::Memory` type which represents linear memories in a WebAssembly module. Wasmtime also has `wasmtime::SharedMemory`, however, which represents shared linear memories introduced in the WebAssembly `threads` proposal. The API of `SharedMemory` does not provide accessors which return `&[u8]` in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The `wasmtime::Memory` type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means tha...

The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. "

### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. **Who is impacted:** - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers **Attack vectors include:** - `href` attributes with `javascript:` protocol: `<a href="javascript:alert(document.cookie)">` - Event handlers: `<div onclick="maliciousCode()">` - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` - Other HTML attributes that can execute JavaScript ### Patches A fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML ...