Latest News

An attempt to drop two RATs on a system used an uncanny assortment of legitimate Windows tools.

Overriding RegExp serialization with extremely large patterns can **exhaust JavaScript runtime memory** during deserialization. Additionally, overriding RegExp serialization with patterns that trigger **catastrophic backtracking** can lead to ReDoS (Regular Expression Denial of Service). **Mitigation**: `Seroval` introduces `disabledFeatures` (a bitmask) in serialization/deserialization methods, with `Feature.RegExp` as a dedicated flag. **Users are recommended to configure `disabledFeatures` to disable RegExp serialization entirely.**

A critical deserialization vulnerability exists in Tendenci Helpdesk module (NOTE, by default, Helpdesk is NOT enabled), affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution (RCE) by an authenticated user with staff security level due to using Python's pickle module on the helpdesk /reports/. The damage is contained to the user that your Tendenci application runs. **Key Finding:** The original CVE-2020-14942 was incompletely patched. While `ticket_list()` was fixed to use safe JSON deserialization, the `run_report()` function still uses unsafe `pickle.loads()`. **Permission Scoping:** The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. ## Vulnerability Details ### Affected Version - **Version:** Tendenci 15.3.11 and earlier (all versions since incomplete CVE-2020-14942 patch) - **Component:** `tendenci/apps/helpdesk...

### Summary Context race condition when using `useGraphQLModules` plugin ### Details Related to: https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 When 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext() and graphql-modules are used in Yoga with `useGraphQLModules(application)`. This issue was fixed in `graphql-modules` in `2.4.1` and `3.1.1` but using `useGraphQLModules` will bypass the `async_hooks` fix that was implemented. ### PoC Create the following `package.json` and run `npm i` ```json { "name": "poc", "scripts": { "compile": "tsc", "start": "npm run compile && node ./dist/src/index.js", "test": "npm run compile && node ./dist/test/bleedtest.js" }, "dependencies": { "@envelop/graphql-modules": "^9.0.0", "graphql-yoga": "^5.0.0", "graphql": "^16.10.0", "graphql-modules": "3.1.1...

# Security Disclosure: Improper validation of configured threshold for delegations ## Summary A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. ## Impact Unathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. ## Patches Upgrade to v2.3.1 ## Workarounds Always make sure that the TUF metadata roles are configured with a threshold of at least 1. ## Affected code: The `metadata.VerifyDelegate` did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).

# Security Disclosure: Client DoS via malformed server response ## Summary If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic _during parsing_, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. ## Impact Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop. ## Workarounds None currently. ## Affected code The `metadata.checkType` function did not properly type assert the (untrusted) input causing it to panic on malformed data.

### Summary A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. ### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

### Summary A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library. An attacker can derive a new valid signature for a previously signed message from an existing signature. ### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

### Summary A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. ### Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

# SQL Injection in CustomerTransformerController ## Summary An **error-based SQL Injection vulnerability** was identified in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. This issue is classified as **MEDIUM severity**, as it allows SQL execution in an authenticated admin context. --- ## Details The vulnerability exists in the company name duplication check endpoint: ``` /admin/coreshop/customer-company-modifier/duplication-name-check?value= ``` Source code analysis indicates that user input is directly embedded into a SQL condition without parameterization. **Vulnerable file:** ``` /app/repos/coreshop/src/CoreShop/Bundle/CustomerBundle/Controller/CustomerTransformerController.php ``` **Vulnerable code pattern:** ```php sprintf('name LIKE "%%%s%%"', (string) $value) ``` The `$value` parameter is fully u...