WebSocket - API Security Blog

Cross Site Scripting (XSS)

home-assistant/core and home-assistant-js-websocket are vulnerable to XSS attack.The vulnerability occurs due to a loophole in Websocket authentication logic. The logic utilises a `state` parameter wh ...

December 14, 2023

Uptime Kuma Authenticated remote code execution via TailscalePing

Summary The runTailscalePing method of the TailscalePing class injects the hostname parameter inside a shell command, leading to a command injection and the possibility to run arbitrary commands on th ...

December 14, 2023

Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-006)

The version of tomcat installed on the remote host is prior to 9.0.54-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-006 advisory. - The fix for bug 63362 pr ...

December 14, 2023

Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware

[![Android Spyware and iOS Surveillanceware](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)]() New findings have identified connect ...

December 14, 2023

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Eclipse Jetty

Eclipse Jetty Canonical Repository =============================...Read More ...

December 14, 2023

Denial Of Service (DoS)

directus is vulnerable to Denial Of Service (DoS). The vulnerability exists because invalid websocket frames are not properly handled which allows an attacker to crash the application .Read More ...

December 14, 2023

Securing our home labs: Home Assistant code review

Introduction In July, the GitHub Security Lab team conducted a collaborative review of one of our favorite software pieces. While it's not uncommon for our Security Lab researchers to work togeth ...

December 14, 2023

Exploit for Insufficient Session Expiration in Eclipse Jetty

Eclipse Jetty Canonical Repository =============================...Read More ...

December 14, 2023