Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-ff77-26x5-69cr: Apache Tomcat Rewrite rule bypass

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6, which fix the issue.

ghsa
Open in Source
#vulnerability#web#apache#auth
GHSA-c8hm-hr8h-5xjw: n8n Vulnerable to Stored XSS through Attachments View Endpoint

### Impact n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there was no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allowed the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could, for example, send a request to change the user’s email address in their account settings, effectively enabling account takeover. ### Patches - [n8n@1.90.0](https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0) ### Credit We would like to thank @Mahmoud0x00 for reporting this issue.

BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…

Employee monitoring app exposes users, leaks 21+ million screenshots

WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested

JokerOTP dismantled after 28,000 phishing attacks across 13 countries; UK and Dutch police arrest two suspects linked to £7.5M cyber fraud.

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist

This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP