LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel

Summary The sortnatural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary e.g., multi-tenant template system...

CVE-2023-25575

API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON...

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

Smart home security advice. Ring, SimpliSafe, Swann, and Yale

Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you're looking to monitor your property remotely, enhance your home's security, or see who’s at the front door, this guide will provide you with valuable insights. We have...

CVE-2024-29916

The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the "Unsaflok" issue. This occurs, in part, because the ke...

CVE-2024-29916

The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the "Unsaflok" issue. This occurs, in part, because the ke...

CVE-2022-42466 XSS vulnerability, eg for String properties.

Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release,...

EAP: Vault system property security attribute value is revealed on CLI 'reload' command

A flaw was found in the JBoss EAP Vault system. Confidential information of the system property’s security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...