Latest News

### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. ### PoC 1. Create a strapi app. 2. Create a content-type 3. In the content-type you make a new entry 4. Go back to the list view 4. Add `&lookup[updatedBy][password][$startsWith]=$2` to the end of your url (All passwords start with $2) see that all entries are still there 6. Add `&lookup[updatedBy][password][$startsWith]=$3` see the entry disappear proving that the search above works ### Impact An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.

### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. ### Details The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code. ### PoC Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. <img width="1605" height="702" alt="image" src="https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969" /> <img width="1358" height="314" alt="image" src="https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ad...

A misconfigured server belonging to Indian company NetcoreCloud exposed 40 billion records and 13.4TB of data, revealing sensitive…

This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization.

AI might help some threat actors in certain respects, but one group is proving that its use for cyberattacks has its limits.

### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. When an administrator creates a new Alert Transport, the value of the `Transport name` field is stored and later rendered in the **Transports** column of the **Alert Rules** page without proper input validation or output encoding. This leads to arbitrary JavaScript execution in the admin’s browser. ### Details * **Injection point:** `Transport name` field in `/alert-transports`. * **Execution point:** **Transports** column in `/alert-rules`. * **Scope:** Only administrators can create Alert Transports, and only administrators can view the affected Alert Rules page. Therefore, both exploitation and impact are limited to admin users. ### Steps to reproduce 1. Log in with an administrator account. 2. Navigate to: ``` http://localhost:8000/alert-transports ``` 3. Click **Create alert transport** and provide the following values: ...

North Korea's Famous Chollima is back, merging BeaverTail and OtterCookie malware to target job seekers. Cisco Talos details the new threat. Keylogging, screen recording, and cryptocurrency wallet theft detected in an attack.

Input passed to the GET parameter 'error' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

An unauthenticated absolute and relative path traversal vulnerability exists in the smart home/building automation platform via the /ajax/php/get_file_content.php endpoint. By supplying a crafted 'file' POST parameter, a remote attacker can read arbitrary files from the server's file system, resulting in sensitive information disclosure.

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'mbus_file' and 'mbus_csv' HTTP POST parameters through /ajax/php/mbus_build_from_csv.php script.