Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...

GHSA-QCFX-2MFW-W4CG Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...

Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...

IBM: Jenkins server access due to weak password

Jenkins server access was gained due to a weak password. The issue was reported to IBM, analyzed, and remediated...

WordPress 5.0.0 Remote Code Execution analytical thinking-vulnerability warning-the black bar safety net

2 on the 20th, and RIPS the team in the official website discloses a WordPress 5.0.0 Remote Code Execution, CVE number CVE-2019-6977, the article mainly mentioned in the author permissions to the account, you can modify the Post Meta variable coverage, directory traversal write the file, the...

Weight Tracker weight loss app - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Weight Tracker weight loss app published at the 'play' market has multiple vulnerabilities...