#web

Gentoo Linux Security Advisory 202401-27 - Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. Multiple versions are affected.

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability.

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.10.1` and was tested on version `1.9.2.post0`. # Overview [Label Studio](https://github.com/HumanSignal/label-studio) had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. This feature could had been abused to download a HTML file that executed malicious JavaScript code in the context of the Label Studio website. # Description The following [code snippet in Label Studio](https://github.com/HumanSignal/label-studio/blob/1.9.2.post0/label_studio/data_import/uploader.py#L125C5-L146) showed that is a URL passed the SSRF verification checks, the contents of the file would be downloaded using the filename in the URL. ```python def tasks_from_url(file_upload_ids, project, u...

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2` and was tested on version `1.8.2`. # Overview [Label Studio](https://github.com/HumanSignal/label-studio) has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. # Description The following [code snippet in Label Studio](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49) shows that the only verification check is that the file is an image by extracting the dimensions from the file. ```python def hash_upload(instance, filename): filename = str(uuid.uuid4())[0:8] + '-' + filename return settings.AVATAR_PATH + '/' + filename <3> def check_avatar(files): i...

By Waqas The dark side of the Artificial Intelligence (AI) - UK's NCSC Cyber Threat Assessment warns surge in AI-driven ransomware Surge. This is a post from HackRead.com Read the original post: Artificial Intelligence Heightens Ransomware Threat, UK Cyber Security Center Warns

Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.

By Waqas Hailing from Wilmington, Delaware BuyGoods.com boasts a user base of 3 million consumers spanning across 17 countries. This is a post from HackRead.com Read the original post: Global Retailer BuyGoods.com Leaks 198GB of Internal and User PII, KYC data

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira, AvosLocker, BlackByte, and RobbinHood. The tactic allows "threat actors to terminate antivirus processes and services for the deployment of ransomware," Trend

Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank. Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable