#auth

A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and the output of grype is written using the `--file` or `--output json=<file>` option, the registry credentials will be included unsanitized in the output file. ## Impact In Grype versions `v0.68.0` through `v0.104.0`, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue. Registry credentials can be set via the Grype configuration file (e.g. `registry.auth[].username`, `registry.auth[].password`, `registry.auth[].token`) or environment variables (e.g., `GRYPE_REGISTRY_AUTH_USERNAME`, `GRYPE_REGISTRY_AUTH_PASSWORD`, `GRYPE_REGISTRY_AUTH_TOKEN`). In order for the authentication details to be improperly ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Zenitel Equipment: TCIV-3+ Vulnerabilities: OS Command Injection, Out-of-bounds Write, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in arbitrary code execution or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of TCIV-3+ are affected: TCIV-3+: All versions prior to 9.3.3.0 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands. CVE-2025-64126 has been assigned to this vulnerability. A CVSS v3 base ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Festo Equipment: Compact Vision System, Control Block, Controller, and Operator Unit products Vulnerabilities: Exposure of Resource to Wrong Sphere, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Festo reports that the following products are affected: Festo Software Compact Vision System SBO-Q-: All Versions Festo Software Control block CPX-CEC-C1 Codesys V2: All Versions Festo Software Control block CPX-CEC-C1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC Codesys V2: All Versions Festo Software Control block CPX-CEC-M1 Codesys V2: All Versions Festo Software Control block CPX-CEC-M1-V3 Codesys V3: All Versions Festo Software Control block CPX-CEC...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: SiRcom Equipment: SMART Alert (SiSA) Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could enable an attacker to remotely activate or manipulate emergency sirens. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of SiRcom SMART Alert (SiSA), a central control system, are affected: SMART Alert (SiSA): Version 3.0.48 3.2 VULNERABILITY OVERVIEW 3.2.1 Missing Authentication for Critical Function CWE-306 SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. CVE-2025-13483 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). A C...

The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy. "This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user's browser, which can be used outside the perimeter of the compromised infrastructure to access

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. "These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim's messaging app,

In this October roundup, we cut through the noise to focus on the essential technical blueprints and policy foundations required to succeed. These articles, from key platform updates and critical security integrations to the future of open source legality, represent the core strategic reading for Q4. We highlight how Red Hat Ansible Automation Platform 2.6 streamlines operations, how Red Hat AI 3 and its intelligent control plane transform GPU infrastructure, and how our strategic partnership with NVIDIA simplifies the AI software stack. This is the quarter for planning that prepares your orga

### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vulnerabilities in jquery-form, OMERO.web 5.29.2 and earlier may be susceptible to XSS attacks. ### Patches User should upgrade OMERO.web to 5.29.3 or higher. ### Workarounds None. ### Resources https://github.com/jquery-form/form/issues/604

### Summary The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the [spec](https://bips.dev/322/). ### Impact Non-compliant BIP-322 signatures in proof of possessions can be accepted by the chain.

### Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the subsequent block proposal. Eventually, all block proposals will be rejected by all validators. ### Impact A small group of adversarial validators can cause a chain halt.