#auth

### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server. ### Patches The vulnerability has been patched in version 1.11.2. ### Workaround OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not. ### Details The issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint's endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-...

### Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files ### Patches GeoNetwork 4.4.8 / 4.2.13. ### Workarounds Remove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer`` jars, disabling the WFS Index functionality. ### References - [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) - https://github.com/geonetwork/core-geonetwork/pull/8757 - https://github.com/geonetwork/core-geonetwork/pull/8803 - https://github.com/geonetwork/core-geonetwork/pull/8812

## Summary GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack. It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF). ## Details While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation. This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks. ## PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service. ## Impact * Information Disclosure: This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that a...

### Summary Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. ### Details The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations. ### Impact This vulnerability allows attackers to conduct denial-of-service attacks. ### Mitigation This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#disabling-usage-of-dynamic-styling-in-getmap-getfeatureinfo-and-getlegendgraphic-requests)). If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see [WPS Settings](https://docs.geoserver.org/latest...

### Summary It is possible to bypass the default REST API security and access the index page. ### Details The REST API security handles `rest` and its subpaths but not `rest` with an extension (e.g., `rest.html`). ### Impact The REST API index can disclose whether certain extensions are installed. ### Workaround In `${GEOSERVER_DATA_DIR}/security/config.xml`, change the paths for the `rest` filter to `/rest.*,/rest/**` and change the paths for the `gwc` filter to `/gwc/rest.*,/gwc/rest/**` and restart GeoServer. ### References https://osgeo-org.atlassian.net/browse/GEOS-11664 https://osgeo-org.atlassian.net/browse/GEOS-11776 https://github.com/geoserver/geoserver/pull/8170

Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.

In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCreate GraphQL mutation handler.

In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoint handler.

Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries), exposing sensitive data to unauthorized internal and external parties. The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. "Low-code platforms such as

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools…