#auth

Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited.

# Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability. Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/announcements/issues/372 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any ASP.NET Core 10.0 application running on ASP.NET Core 10.0.0-rc.1.25451.107 or earl...

The proof-of-concept exploit allows an attacker to steal sensitive data from Gmail, Google Accounts, Google Authenticator, Google Maps, Signal, and Venmo.

### Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below) <img width="955" height="568" alt="1_cens" src="https://github.com/user-attachments/assets/ed855216-c306-4b50-affc-cda100e72b74" /> An alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name. ### Details The incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below: <img width="822" height="309" alt="2_cens" src="https://github.com/user-attachments/assets/d0d5a7aa-8d0c-4dcb-825b-e4cb8ea8885b" /> The exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as such pick a malicious na...

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w3q9-fxm7-j8fq. This link is maintained to preserve external references. ### Original Description Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gwq6-fmvp-qp68. This link is maintained to preserve external references. ### Original Description Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.

Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity, per ReliaQuest, is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett. According to the U.S. government, it's assessed to be a publicly-traded

Modern software engineering faces growing complexity across codebases, environments, and workflows. Traditional tools, although effective, rely heavily on…

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone, especially Gen Z.

Imagine if a rogue app could glimpse tiny bits of your screen—even the parts you thought were secure, like your 2FA codes.