Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-wvv5-5g6x-hp7j: MCMS reflected cross-site scripting (XSS) vulnerability

A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.

ghsa
Open in Source
#xss#vulnerability#java#auth
GHSA-xcg2-9pp4-j82x: rollbar vulnerable to Prototype Pollution in merge()

### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution is possible. ### Patches Fixed in 2.26.5 and 3.0.0-beta5. ### Workarounds Ensure that values passed to `rollbar.configure()` do not contain untrusted input. ### References Fixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)

Medusa Ransomware Leaks 834 GB of Comcast Data After $1.2M Demand

Medusa ransomware leaks 186 GB of Comcast data, claiming 834 GB stolen after a $1.2M ransom demand apparently went unpaid.

GHSA-3qcp-9v8c-6jp7: Piranha CMS vulnerable to stored cross-site scripting (XSS)

A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.

Strings in the maze: Finding hidden strengths and gaps in your team

In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats.

Thousands of online stores at risk as SessionReaper attacks spread

A Magento bug called SessionReaper is doing the rounds, and researchers warn it’s letting attackers hijack real shopping sessions.

GHSA-j3w7-9qc3-g96p: Kottster app reinitialization can be re-triggered allowing command injection in development mode

### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: 1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through `installPackagesForDataSource` **Production deployments were never affected.** ### Patches Fixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2). Specifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3...

GHSA-jp7h-4f3c-9rc7: OpenBao AWS Plugin Vulnerable to Cross-Account IAM Role Impersonation in AWS Auth Method

### Impact This is a cross-account impersonation vulnerability in the `auth-aws` plugin. The vulnerability allows an IAM role from an untrusted AWS account to authenticate by impersonating a role with the **same name** in a trusted account, leading to unauthorized access. This impacts all users of the `auth-aws` plugin who operate in a multi-account AWS environment where IAM role names may not be unique across accounts. The core of the vulnerability is a flawed caching mechanism that fails to validate the AWS Account ID during authentication. While the use of wildcards in a `bound_iam_principal_arn configuration` significantly increases the attack surface, **wildcards are not a prerequisite for exploitation**. The vulnerability can be exploited with specific ARN bindings if a role name collision occurs. Successful exploitation can lead to unauthorized access to secrets, data exfiltration, and privilege escalation. Given that the only prerequisite is a duplicate role name, the severi...

GHSA-j82q-c85j-xw4w: Liferay Portal and DXP do not properly restrict access to OpenAPI

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers to access the OpenAPI YAML file via a crafted URL.

GHSA-64w3-5q9m-68xf: Keycloak does not invalidate sessions when "Remember Me" is disabled

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.