#web

### Summary CVEs on latest 3.1.1 ### Details ## SECURITY ISSUES ### CVE-2024-1681: flask-core <4.0.1 latest version of taipi 3.1.1 needs <=4.0.0 ### CVE-2024-5629: pymongo <4.6.3 #latest version of taipi 3.1.1 needs <=4.6.1 ### PoC please upgrade to these versions ### Impact pre-commit breaks

Hi, Webpack developer team! ### Summary We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) livin...

## Impact Instances of the Apollo Router using either of the following may be impacted by a denial-of-service vulnerability. 1. External Coprocessing with specific configurations; or 2. Native Rust Plugins accessing the Router request body in the RouterService layer Router customizations using Rhai scripts are **not** impacted. ### When using External Coprocessing: Instances of the Apollo Router running versions >=1.21.0 and <1.52.1 are impacted by a denial-of-service vulnerability if **all** of the following are true: 1. Router has been configured to support External Coprocessing. 2. Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. You can identify if you are impacted by reviewing your router's configuration YAML for the following config: ```yaml ... coprocessor: url: http://localhost:9000 # likely different in your environment router: request: body: tru...

Ubuntu Security Notice 6973-3 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A privileged local attacker could use this to possibly cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

miniProxy version 1.0.0 suffers from a remote file inclusion vulnerability.

Medicine Tracker System version 1.0 suffers from an ignored default credential vulnerability.

Medical Hub Directory Site version 1.0 suffers from an ignored default credential vulnerability.

Red Hat Security Advisory 2024-5832-03 - An update for httpd is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Marc@TMS CMS version 1.0 suffers from a remote SQL injection vulnerability.

Lodging Reservation Management System version 1.0 suffers from an ignored default credential vulnerability.