Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

FreeScout 是一个基于 PHP 的 Laravel 框架构建的免费帮助台和共享收件箱系统。在版本 1.8.219 之前，其密码重置端点会针对提交的邮箱地址是否属于有效用户账户返回视觉上不同的响应（例如，存在账户时返回“重置链接已发送”，不存在时返回“邮箱未注册”等不同提示），从而允许未经身份验证的攻击者枚举有效的帮助台代理邮箱地址。此漏洞属于敏感信息泄露，攻击者可以利用枚举到的邮箱发起定向钓鱼攻击或进一步暴力破解。该漏洞影响所有低于 1.8.219 的版本。厂商已在 1.8.219 版本中修复此问题，修复方式为统一响应内容，不再区分账户是否存在。建议所有用户立即升级至最新版本。此外，可考虑在网络层面限制对密码重置端点的外部访问，或添加验证码等防护机制以减缓枚举攻击。

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend return

A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit ha

A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit ha

Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.

### Impact The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. ### Patches * https://github.com/WeblateOrg/weblate/pull/19258 ### Acknowledgement Weblate thanks Luay for reporting this vulnerability according to the organization's [security issues guideline](https://docs.weblate.org/en/latest/security/issues.html).