AddToAny

Share this

 

News

11/07/2024 - 12:40

Build your slide deck in Laravel with Simple Slides

Simple Slides is a responsive and text-first presentation tool that engages your audience. It is built with Laravel, Vue, and PostgreSQL.
You'd want to use this if you are:




11/07/2024 - 12:32

Laravel Nightwatch

Laracon AU has begun and with it comes exciting news from Taylor and the rest of the Laravel team. Announcing Laravel Nightwatch! First-class monitoring designed for Laravel.




11/07/2024 - 08:30

First Public Working Draft: Audio Session

The Media Working Group has published the First Public Working Draft of Audio Session. This API defines an API surface for controlling how audio is rendered and interacts with other audio playing applications, allowing for better audio mixing or exclusive playback, depending on the context, to provide a more consistent and integrated media experience across devices.




11/06/2024 - 20:50

Twig CVE-2024-51754: Unguarded calls to __toString() in a sandbox when an object is in an array or an argument list

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, an attacker can call __toString() on an object even if the __toString() method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance).




11/06/2024 - 20:50

Twig CVE-2024-51755: Unguarded calls to __isset() and to array-accesses in a sandbox

Affected versions

Twig versions <3.11.2; >=3.12,<3.14.1 are affected by this security issue.

The issue has been fixed in Twig 3.11.2 and 3.14.1.
Note that Twig versions 1 and 2 are not maintained anymore and are vulnerable.

Description

In a sandbox, and attacker can access attributes of Array-like objects as they were not checked by the security policy.
They are now checked via the property policy and the __isset() method is now called after the security check.
This is a BC break.




11/06/2024 - 12:05

CVE-2024-50343: Incorrect response from Validator when input ends with `\n`

Affected versions

Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.

The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.

Description

It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.

Resolution

Symfony now uses the D regex modifier to match the entire input.




11/06/2024 - 12:05

CVE-2024-50341: Security::login does not take into account custom user_checker

Affected versions

Symfony versions >=6.2, <6.4.10; >=7.0, <7.0.10; >=7.1, <7.1.3 of the Symfony SecurityBundle component are affected by this security issue.

The issue has been fixed in Symfony 6.4.10, 7.0.10, and 7.1.3.

Description

The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.

Resolution

The Security::login method now ensure to call the configured user_checker.




11/06/2024 - 12:05

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony HttpClient component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.