#auth

### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted SVG file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. ### Details The underlying problem is that SVG is XML/markup, so when it is uploaded and then directly rendered or embedded, script or event handlers within are allowed to run unless sanitized. In Bagisto, the integration of TinyMCE’s image upload (or media manager) may accept SVG files without sanitizing or rejecting unsafe content. When the SVG is later included (inline or via object/embed) in content displayed in admin or UI, the browser may execute the script portion of the SVG. The application might not validate the file content (i.e. inspect the SVG XML) or strip <script>, onload, onclick, foreignObject, xlink:href injection, objects/embed tags, etc. ### PoC Navigate to any forms with TinyMCE editor. Attempt...

## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation. ## POC Create an admin user with a password exceeding 72 characters like 85, Log in using only the first 72 characters of the password. Authentication is successful, confirming the issue. Proposed Solution Based on discussions: Add a maximum password length validation (72 characters) during password creation and updates for both Admin and U&P users. Truncate passwords exceeding 72 bytes on the server before passing them to bcryptjs during login. Optionally, issue a warning to users with passwords longer than 72 bytes during login, informing them of truncation. ## Impact This issue affects all Strapi installations using bcryptjs for password hashing. Until resolved, it can lead to: Authentication Bypass: Users may unknowing...

A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Handler. The manipulation of the argument Version leads to path traversal. Remote exploitation of the attack is possible. Upgrading to version 4.6.0 is sufficient to resolve this issue. It is recommended to upgrade the affected component.

### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. ### PoC 1. Create a strapi app. 2. Create a content-type 3. In the content-type you make a new entry 4. Go back to the list view 4. Add `&lookup[updatedBy][password][$startsWith]=$2` to the end of your url (All passwords start with $2) see that all entries are still there 6. Add `&lookup[updatedBy][password][$startsWith]=$3` see the entry disappear proving that the search above works ### Impact An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.

### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser. ### Details The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code. ### PoC Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. <img width="1605" height="702" alt="image" src="https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969" /> <img width="1358" height="314" alt="image" src="https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ad...

A misconfigured server belonging to Indian company NetcoreCloud exposed 40 billion records and 13.4TB of data, revealing sensitive…

This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization.

An unauthenticated absolute and relative path traversal vulnerability exists in the smart home/building automation platform via the /ajax/php/get_file_content.php endpoint. By supplying a crafted 'file' POST parameter, a remote attacker can read arbitrary files from the server's file system, resulting in sensitive information disclosure.

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'mbus_file' and 'mbus_csv' HTTP POST parameters through /ajax/php/mbus_build_from_csv.php script.

Input passed to the GET parameter 'error' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.