#vulnerability

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

Resecurity unveils AI-powered GSOC at NATO Edge 2024, integrating VR for advanced cybersecurity. Tailored for MSSPs, it enhances…

Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.

Businesses deploying large language models and other GenAI systems have a growing collection of open source tools for testing AI security.

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Patches Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter) ### Workarounds The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. ### References See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)

### Summary A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. ### Details In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).  ### PoC 1. create a new FAQ record and upload a "maliciou...