#vulnerability

A recent case of alleged cyber-voyeurism shows how important it is to secure your computer against unwanted eavesdroppers using malware.

## Impact wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing unintended actions within their wallabag account without their consent. Additionally, one endpoint affects the login page locale setting. The affected endpoints allow attackers to potentially perform actions such as: * **Manage API Tokens:** * `/generate-token` * `/revoke-token` * **Manage User Rules:** * `/tagging-rule/delete/{taggingRule}` * `/ignore-origin-user-rule/delete/{ignoreOriginUserRule}` * **Modify User Configuration:** * `/config/view-mode` * **Manage Individual Entries:** * `/reload/{id}` * `/archive/{id}` * `/star/{id}` * `/delete/{id}` * `/share/{id}` * `/share/delete/{id}` * **Manage Tags:** * `/remove-tag/{entry}/{tag}` ...

Name: ISA-2025-003: Malicious validator can spoof votes from other validators Component: tendermint-rs Criticality: High (Catastrophic Impact; Rare Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: <= v0.40.2 Affected users: Everyone ### Description tendermint-rs contains a critical vulnerability in its light client implementation due to insecure handling of corrupted validator sets. Because it doesn't check that the validator address is correctly derived from the validator's public key when counting votes, it is possible to spoof votes from other validators. The result is being able to construct the malicious block and cheat the light client. The light client will accept such a block, seemingly signed by 2/3+ majority. ### Patches The new tendermint-rs release [v0.40.3](https://github.com/informalsystems/tendermint-rs/releases/tag/v0.40.3) fixes this issue. Unreleased code in the main branch is pat...

### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. ### Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. ### PoC https://gist.github.com/linhnph05/03d677b183636af206ff781bdd19701a ### Impact 1. Redirect user to another phishing site 2. Make request to another endpoint of the application based on user's cookie 3. Steal user's cookie

### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. ### PoC - First, create a file named **model.py** to create a simple model and save it ``` import bentoml import numpy as np class mymodel: def predict(self, info): return np.abs(info) def __call__(self, info): return self.predict(info) model = mymodel() bentoml.picklable_model.save_model("mymodel", model) ``` - Then run the following command to save this model ``` python3 model.py ``` - Next, create **bentofile.yaml** to build this model ``` service: "service.py" description: "A model serving service with BentoML" python: packages: - bentoml - numpy models: - tag: MyModel:latest include: - "*.py" ``` - Then, create **service.p...

A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. ### Impact This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls.

### Impact The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before `v0.11.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.11.0` added a 10 MB upper limit.

### Impact The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before `v0.10.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.10.0` added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

### Impact Improper neutralization of the `order`/`sort` parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability. ### Patches This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default). ### Workarounds #### Add an allowlist of fields List all valid fields and use the `filterProperties` function to filter out invalid fields before passing the crudRequest to the `TypeOrmQueryAdapter`. Here's an example: ```ts crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']); ``` #### Disable ordering Cleanup the `order` field just before passing it to the `TypeOrmQueryAdapter`. Here's an example: ```ts crudRequest.order = []; ```

### Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. ### Patches The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. ### Workarounds Umbraco supports the configuration of [allowed](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#allowed-upload-file-extensions) and [disallowed file extensions](https://docs.umbraco.com/umbraco-cms/reference/configuration/contentsettings#disallowed-upload-file-extensions). Using these options to allow only necessary file extensions significantly reduces the scope of the vulnerability.