#web

## Description The LocalS3 project, which implements an S3-compatible storage interface, contains a critical XML External Entity (XXE) Injection vulnerability in its XML parsing functionality. When processing XML requests for multipart upload operations, the application accepts and processes XML external entities, allowing an attacker to read local system files and potentially make outbound network connections. The vulnerability exists because the XML parser is configured to process external entities and DTD (Document Type Definition) declarations without proper restrictions. This allows an attacker to define external entities that can read local files and exfiltrate their contents through outbound HTTP requests. The vulnerability is particularly severe as it allows direct access to sensitive files on the filesystem, bypassing any directory traversal protections that might be in place for normal S3 operations. ## Steps to Reproduce 1. Create a malicious DTD file containing the fol...

## Description The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML. The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document. This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses...

Over 1,000 malicious packages found using low file counts, suspicious installs, and hidden APIs. Learn key detection methods…

This week on the Lock and Code podcast, we speak with Tim Shott about his attempt to find his location data following a major data breach.

A vulnerability, that could result in Remote Code Execution (RCE), has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting the risk.

Cybersecurity researchers have demonstrated a novel technique that allows a malicious web browser extension to impersonate any installed add-on. "The polymorphic extensions create a pixel perfect replica of the target's icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to

An increasing number of websites use a clipboard hijacker and instruct victims on how to infect their own machine.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7q5r-7gvp-wc82. This link is maintained to preserve external references. ## Original Description picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.

Malwarebytes Premium Security has once again been awarded “Product of the Year” after successfully blocking 100% of “in-the-wild” malware samples.

A Storm of Scams Awaits!