#auth

A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

Immersive security researchers discovered critical vulnerabilities in Planet Technology network management and switch products, allowing full device control.…

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how…

Plus: Cybercriminals stole a record-breaking fortune from US residents and businesses in 2024, and Google performs its final flip-flop in its yearslong quest to kill tracking cookies.

Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to…

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.