#ssh

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.5.

Improper Access Control in GitHub repository ikus060/rdiffweb prior to 2.5.5.

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.

An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

Mozilla developers and community members Gabriele Svelto, Sebastian Hengst, Randell Jesup, Luan Herrera, Lars T Hansen, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 97.

### Impact The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Example: The `fs` scope `$HOME/*.key` would also allow `$HOME/.ssh/secret.key` to be read even though it is in a sub directory of `$HOME` and is inside a hidden folder. Scopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected. ### Patches The issue has been patched in the latest release and was backported into the currently supported 1.x branches. ### Workarounds No workaround is known at the time of publication. ### References The original report contained information that the `dialog.open` component automatically allows one sub directory to be read, regardless of the `recursive` option. Imagine a file system looking like ``` o ../ o documents/ - file.txt - deeper/ o deep_file.txt ``` Reproduction steps: ...

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.