#web

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.

### Impact Dgl implements rpc server (start_server() in rpc_server.py) for supporting the RPC communications among different remote users over networks. It relies on pickle serialize and deserialize to pack and unpack network messages. The is a known risk in pickle deserialization functionality that can be used for remote code execution. ### Patches TBD. ### Workarounds When running DGL distributed training and inference (DistDGL) make sure you do not assign public IPs to any instance in the cluster. ### References Issue #7874 ### Reported by Pinji Chen ([cpj24@mails.tsinghua.edu.cn](mailto:cpj24@mails.tsinghua.edu.cn)) from NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University

Malicious, user-crafted request payloads could potentially lead to remote code execution within Volt components.

When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.

### Summary Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account. ### Details On the latest version of Redaxo, v5.18.2, the rex-api-result parameter is vulnerable to Reflected cross-site scripting (XSS) on the page of AddOns. ### PoC 1. Login Redaxo as administrative user. 2. Navigate to the URL: [http://localhost/redaxo/index.php?page=packages&rex-api-call=package&&rex-api-result={%22succeeded%22%3Atrue%2C%22message%22%3A%22%3Cimg%20src=x%20onerror=alert(document.domain);%3E%22}](http://localhost/redaxo/index.php?page=packages&rex-api-call=package&&rex-api-result=%7B%22succeeded%22%3Atrue%2C%22message%22%3A%22%3Cimg%20s...

### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a Denial of Service (DoS) when a `tracestate` and `traceparent` header is received. * Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. * This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header. * Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This issue has been <strong data-start="1143" data-end="1184">resolved in OpenTelemetry.Api 1.11.2</strong> by <strong data-start="1188" data-end="1212">reverting the change</strong> that introduced the problematic behavior in versions <strong data-start="1266" data-end="1286">1.10....

London, United Kingdom, 5th March 2025, CyberNewsWire

Task scams are increasing in volume. We followed up on an invitation by a task scammer to get a first hand look on how they work.

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…