Latest News

### Summary Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure). ### Details After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change. ### PoC **Repro steps:** 1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example 2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed) **POC:** Steps described above (in Repro steps) completed successfully. ### Impact Persistent unauthorized access despi...

November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux. The usual monthly roundup. After several months, here’s a big one. 🔥 🗞 Post on Habr (rus)🗞 Post on SecurityLab (rus)🗒 Digest on the PT website (rus) A total of nine vulnerabilities: 🔻 RCE – Windows Server Update […]

### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address. ### PoC 1. Log in to a Shopware account. 2. Request a password reset for your current email address. 3. Copy the password reset link but do not open it. 4. Log back into your account.n 5. Navigate to Account Settings → Email and change your email address. 6. Use the previously copied reset link (from before the email change). 7. The system allows password change using the old link. ### Impact Reproduced on Stable 6.6.10.7 and trunk.

## Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. **Note 1:** as the malicious filename must contain the `>` character, the victim must not be using Windows for this to work, since this OS simply forbids this character in filenames. **Note 2:** most PrivateBin instances use the Content-Security-Policy header to prevent most use-cases of this vulnerability. This report will describe the impact as if this header had been disabled by the PrivateBin instance owner. ## Affected versions PrivateBin versions since 1.7.7. ## Conditions * Only macIOS or Linux users are affected, due to the way the `>` character is trea...

## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain RCE. ## Affected versions PrivateBin versions since 1.7.7. ## Conditions - `templateselection` got enabled in `cfg/conf.php` - Visitor sets a cookie `template` pointing to an existing PHP file without it's suffix, using a path relative to the `tpl` folder. Absolute paths do not work. ## Impact The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropr...

A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds.

A kitchen-sink approach to building containers has loaded many with vulnerabilities. A handful of companies are trying to slim them down.

A self-replicating attack led to a tidal wave of malicious packages in the NPM registry, targeting tokens for the tea.xyz protocol.

November Microsoft Patch Tuesday. A total of 65 vulnerabilities. I’m not comparing this with the October report because I’ve decided to cover only MSPT-day vulnerabilities. The thing is, Microsoft has started massively adding Linux-product vulnerabilities to their official website, and these clutter the “extended” MSPT reports. 🤷‍♂️ There is one vulnerability with evidence of in-the-wild […]

npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.