Cross Site Scripting (XSS)

home-assistant/core and home-assistant-js-websocket are vulnerable to XSS attack.The vulnerability occurs due to a loophole in Websocket authentication logic. The logic utilises a `state` parameter wh ...

Continue Reading
Directus crashes on invalid WebSocket message

### Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might ...

Continue Reading
Uptime Kuma Authenticated remote code execution via TailscalePing

Summary The runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, leading to a command injection and the possibility to run arbitrary commands on th ...

Continue Reading
Rocky Linux 8 : qt5-qtbase and qt5-qtwebsockets (RLSA-2020:4690)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2020:4690 advisory. Qt through 5.14 allows an exponential XML entity expa ...

Continue Reading
CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentic ...

Continue Reading
Denial Of Service (DoS)

directus is vulnerable to Denial Of Service (DoS). The vulnerability exists because invalid websocket frames are not properly handled which allows an attacker to crash the application .Read More ...

Continue Reading
Cross site scripting

Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication ...

Continue Reading
Securing our home labs: Home Assistant code review

Introduction In July, the GitHub Security Lab team conducted a collaborative review of one of our favorite software pieces. While it's not uncommon for our Security Lab researchers to work togeth ...

Continue Reading

Back to Main

Subscribe for the latest news: