#web

Apple Security Advisory 05-08-2024-1 - iTunes 12.13.2 for Windows addresses a code execution vulnerability.

Apple Security Advisory 05-13-2024-4 - macOS Sonoma 14.5 addresses bypass and code execution vulnerabilities.

Apple Security Advisory 05-13-2024-3 - iOS 16.7.8 and iPadOS 16.7.8 addresses bypass vulnerabilities.

Apple Security Advisory 05-13-2024-2 - iOS 17.5 and iPadOS 17.5 addresses bypass and code execution vulnerabilities.

Apple Security Advisory 05-13-2024-1 - Safari 17.5 addresses a bypass vulnerability.

An unnamed European Ministry of Foreign Affairs (MFA) and its three diplomatic missions in the Middle East were targeted by two previously undocumented backdoors tracked as LunarWeb and LunarMail. ESET, which identified the activity, attributed it with medium confidence to the Russia-aligned cyberespionage group Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, and Venomous

By Deeba Ahmed Is FIDO2 truly unbreachable?  Recent research exposes a potential vulnerability where attackers could use MITM techniques to bypass FIDO2 security keys. This is a post from HackRead.com Read the original post: MITM Attacks Can Still Bypass FIDO2 Security, Researchers Warn

To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient. When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out: • Snapshotname • Expire • Timeout(seconds) After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to the Grafana server. The HTTP request contains additional parameters that are not visible in the web UI. The parameter originalUrl is not visible in the web UI, but sent in the HTTP POST request. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user that views the snapshot the possibility to click on the button in the Grafana web UI and be presented with the dashboard that the snapshot was made out of. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot (Note: by editi...

Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328. Release 9.2.4, latest patch, also containing security fix: - [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4) Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering. ## Privilege escalation ### Summary Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the [HTTP context creation](https://github.com/grafana/grafana/blob/main/pkg/web/router.go#L153) could make a...

Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication). Release 9.1.6, latest patch, also containing security fix: - [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/) Release 9.0.9, only containing security fix: - [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-9/) Release 8.5.13, only containing security fix: - [Download Grafana 8.5.13](https://grafana.com/grafana/download/8.5.13) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-13...