#auth

## Summary ## The *Command Execution* feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted. ## Impact ## A user can execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of *scopes* on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. ## Vulnerability Description ## For a user to make use of the command execution feature, two things need to happen in advance: 1. An administrator needs to grant that account the `Execute commands` permission 2. The command to be executed needs to be listed in the `Commands` input field (also done by an administrator) If...

## Summary URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters. ## Impact The *JSON Web Token (JWT)* which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give the attacker full access to the user's account and, in consequence, to all sensitive files the user has access to. ## Description Sensitive information in URLs is logged by several components (see the following examples), even if access is protected by TLS. * The browser history * The access logs on the affected web server * Proxy servers or reverse proxy servers * Third-party servers via the HTTP referrer header In case attackers can access certain logs, they could read the included sensitive data. ## Proof of Concept ## When a file ...

Agents with the Federal Bureau of Investigation (FBI) briefed Capitol Hill staff recently on hardening the security of their mobile devices, after a contacts list stolen from the personal phone of the White House Chief of Staff Susie Wiles was reportedly used to fuel a series of text messages and phone calls impersonating her to U.S. lawmakers. But in a letter this week to the FBI, one of the Senate's most tech-savvy lawmakers says the feds aren't doing enough to recommend more appropriate security protections that are already built into most consumer mobile devices.

This week on the Lock and Code podcast, we speak with Becky Holmes about how she tricks, angers, and jabs at romance scammers online.

Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world. The operation, the agency said, was carried out by the Spanish Guardia Civil, along with support from law enforcement authorities from Estonia, France, and the United States. Europol said the investigation into the syndicate

Palo Alto, California, 30th June 2025, CyberNewsWire

We've seen several spikes in Android threats since the start of 2025. Here's how to protect yourself.

Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.