#web

### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. **Impact:** The vulnerability impacts service logs that meet the following criteria: - **Logging Level:** Logs are generated at the information level. - **Credential Descriptions:** containing: - Local file paths with passwords. - Base64 encoded values. - Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. If your service log...

Stay secure on the move. Protect your devices, data, and privacy with smart habits, reliable gear, updated software…

Cybersecurity researchers have identified a new spam campaign driven by ‘AkiraBot,’ an AI-powered bot that targets small business…

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled. This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users. Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. "As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly

A recent case of alleged cyber-voyeurism shows how important it is to secure your computer against unwanted eavesdroppers using malware.

### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. ### PoC - First, create a file named **model.py** to create a simple model and save it ``` import bentoml import numpy as np class mymodel: def predict(self, info): return np.abs(info) def __call__(self, info): return self.predict(info) model = mymodel() bentoml.picklable_model.save_model("mymodel", model) ``` - Then run the following command to save this model ``` python3 model.py ``` - Next, create **bentofile.yaml** to build this model ``` service: "service.py" description: "A model serving service with BentoML" python: packages: - bentoml - numpy models: - tag: MyModel:latest include: - "*.py" ``` - Then, create **service.p...

### Impact The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before `v0.11.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.11.0` added a 10 MB upper limit.

### Impact The EXIF data format allows for defining excessively large data structures in relatively small payloads. Before `v0.10.0`, If you didn't trust the input images, this could be abused to construct denial-of-service attacks. ### Patches `v0.10.0` added LimitNumTags (default 5000) and LimitTagSize (default 10000) options.

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.