MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
catanzaro
Recherche

Catanzaro: Dangerous arbitrary file read vulnerability in Yelp

mercredi 16 avril 2025, 19:54 , par LWN.net
GNOME contributor Michael Catanzaro has written a blog
post about a noteworthy vulnerability in GNOME's help browser, Yelp.

I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is
noteworthy because it is quite severe, public for several weeks now,
and not yet fixed upstream. In short, help files can read your
filesystem and execute arbitrary JavaScript code, allowing an attacker
to exfiltrate any files your Unix user has access to.

The vulnerability was first reported on December 25, and it
was made public on March 26 after the 90-day-disclosure deadline
was reached. Patches
have been proposed to fix the issue. The bug reporter has published a writeup
demonstrating the attack. Catanzaro asks that Linux vendors
'please consider applying the provided patches even though they
have not yet been accepted upstream'.
Lire la suite sur LWN.net
https://lwn.net/Articles/1017727/

Voir aussi

catanzaro CVE fallout: The splintering of the standard vulnerability tracking system has begun TheRegister18 Apr
yelp ‘Stupid and Dangerous’: CISA Funding Chaos Threatens Essential Cybersecurity Program Wired: Tech.16 Apr
vulnerability Kermit is a typeface to help kids read BoingBoing16 Apr
arbitrary Microsoft hits Ctrl-Z after Teams trips over file sharing TheRegister16 Apr
read Canadians decline Gavin Newsom's dangerous invitation to visit California BoingBoing15 Apr
public Microsoft OneDrive file sync apps for Windows, Mac broken for 10 months TheRegister15 Apr
help The Most Dangerous Hackers You’ve Never Heard Of Wired: Tech.14 Apr
files 3 days left! Snag this $33 H&R Block deal and file your federal and state taxes in time BoingBoing12 Apr
yet Ex-OpenAI Staffers File Amicus Brief Opposing the Company's For-Profit Transition Slashdot12 Apr
about Traditional vulnerability assessment falls short on third-party risks BetaNews 8 Apr
not Beware the beautiful yet dangerous Caravela Portuguesa BoingBoing 4 Apr
patches Understand Python’s new lock file format InfoWorld 1 Apr
noteworthy New Python lock file format will specify dependencies InfoWorld 1 Apr
file A New Image File Format Efficiently Stores Invisible Light Data Slashdot29 Mar
dangerous 0patch releases yet another free fix for yet another 0day vulnerability in Windows that Microsoft has not addressed BetaNews26 Mar
catanzaro Disney+ facilite le ménage dans les programmes de la file d’attente 01net25 Mar
yelp How AI Coding Assistants Could Be Compromised Via Rules File Slashdot23 Mar
vulnerability Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist TheRegister20 Mar
arbitrary Who is Funnier, Humans or AI? Read the Results of the Researcher Meme Challenge eWeek20 Mar
read IBM scores perfect 10 ... vulnerability in mission-critical OS AIX TheRegister19 Mar
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Date Actuelle
sam. 19 avril - 15:49 CEST