In Massachusetts, a 21-year-old man has been charged with a fraud scheme that caused the elderly man to lose more than $400,000. Patel was arrested while handing over the money and now faces up to 20 years in prison.
266 
GitHub has released a security update for GitHub Enterprise Server that addresses two vulnerabilities, one of which is critical. CVE-2024-9487 has a CVSS score of 9.5 and allows bypassing SAML SSO authentication. The problem is related to incorrect verification of cryptographic signatures, which allows attackers to create unauthorized users and grant them access to the server.
In order to successfully exploit the vulnerability, the “encrypted assertions” function must be activated on the server, and the attacker must have a signed SAML document and access to the server’s network. While these conditions limit the attack surface, organizations using SAML SSO should update their GitHub Enterprise Server installations immediately.
The second vulnerability involves malicious URLs in SVG files. The attack involves uploading malicious SVG files to a server and tricking users into following those URLs. As a result, an attacker can obtain the user’s metadata and create a convincing phishing page.
Both vulnerabilities affect all versions of GitHub Enterprise Server prior to 3.15 and are fixed in updates to versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2.
Organizations using GitHub Enterprise Server should immediately update the server to the latest version to avoid possible attacks. Ignoring these updates can lead to serious security issues, including data loss and unauthorized access to corporate resources.
266 
315 
291