Sherlock
Monthly
Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.
A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Command injection in the Sherlock username-hunting tool's CI/CD pipeline (versions prior to 0.16.1) allows any GitHub user to run arbitrary commands on the project's GitHub Actions runner. The flaw lives in the validate_modified_targets.yml workflow, which uses the dangerous pull_request_target trigger; simply opening a pull request executes attacker-controlled code with no approval, review, or merge required. Fixed in 0.16.1; with a CVSS of 9.3 it is a high-severity supply-chain issue, though no public exploit was identified at time of analysis and the technique class is well documented.
A stack-based buffer overflow vulnerability has been identified in Teledyne DALSA Sherlock Version 7.2.7.4 and prior, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.