Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-9mv7-3c64-mmqw: xml2rfc is vulnerable to arbitrary file reads through prepped files

### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).

ghsa
Open in Source
#vulnerability#web#git#pdf#auth
GHSA-jxmr-2h4q-rhxp: WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

### Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs (information disclosure). - Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. ### PoC 1. Start Hoverfly with authentication enabled: ``` ./hoverfly -auth ``` 2. Confirm REST API requires credentials: ``` curl -i http://localhost:8888/api/v2/hoverfly/version ``` 3. Connect to the WebSocket endpoint without credentials: ``` wscat -c ws://localhost:8888/api/v2/ws/logs # Connected (press CTRL+C to quit) # … logs stream immediately … (You would need to send a message to start receiving stream) ``` ``` wscat -c ws://localhost:8888/api/v2/ws/logs Connected (press CTRL+C to quit) > hi! < {"logs":[{"level":"info","msg":"Log level set to verbose","time":"2025-07-20T17:07:00+05:30"},{...

GHSA-7cf7-9wrr-vrf4: Indico vulnerable to Cross-Site Scripting via LaTeX math code

### Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. ### Patches You should to update to [Indico 3.3.8](https://github.com/indico/indico/releases/tag/v3.3.8) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds Only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

GHSA-4269-mcfh-cp7q: Indico may disclose unauthorized user details access via legacy API

### Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. ### Patches You should to update to [Indico 3.3.8](https://github.com/indico/indico/releases/tag/v3.3.8) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds It is possible to restrict access to the affected API (e.g. in the webserver config) which is most likely unused anyway and thus will not break anything. ### For more information If you have any questions or comments about this advisory: - Open a thread in [our forum](https://talk.getindico.io/) - Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

GHSA-xp8g-32qh-mv28: Decap CMS Cross Site Scripting (XSS) vulnerability

A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user views the preview panel. The vulnerability affects multiple input vectors and does not require user interaction beyond viewing the affected content.

GHSA-66x6-8jgv-qpfh: Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks page.

GHSA-w765-jm6w-4hhj: Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestURL` (derived from the original request target) is directly embedded into an inline `<script>` block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which wabac.js is used. ### Patches The vulnerability is fixed in wabac.js v2.23.11.

New Fileless Malware Attack Uses AsyncRAT for Credential Theft

LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence.

Ransomware attack at blood center: Org tells users their data&#8217;s been stolen

The New York Blood Center has started sending out data breach notifications to those affected by a recent ransomware attack.

CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware