#auth

### Impact Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit. Any user with access to the CI instance and the linked source control manager can perform the exploit. ### Method By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. ### Patches `v0.26.3` — Image: `target/vela-server:v0.26.3` `v0.25.3` — Image: `target/vela-server:v0.25.3` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ There are no workarounds to the issue. ### References _Are there any links users can visit to find out more?_ Please see linked CWEs (common weakness enumerators) for more information.

The telecom industry is at a major turning point. With 5G, IoT, and AI reshaping global connectivity, the…

Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names.  The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.

This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.

The issue arises because Keycloak does not perform an LDAP bind after a password reset, leading to potential authentication bypass for expired or disabled AD accounts. A fix should enforce LDAP validation after password updates to ensure consistency with AD authentication policies.

### Summary Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity. ### Details A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule `id` parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser. The issue appears as the notification to user is made in an insafe way: https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681 https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716 https://github.com/lf-edge/ekuiper/bl...

Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs. This vulnerability, identified as CVE-2025-1296, is fixed in Nomad Community Edition 1.9.7 and Nomad Enterprise 1.9.7, 1.8.11, and 1.7.19.

An issue in canvg v.4.0.2 can lead to prototype pollution via the Constructor of the class StyleElement.

## Description The LocalS3 project, which implements an S3-compatible storage interface, contains a critical XML External Entity (XXE) Injection vulnerability in its XML parsing functionality. When processing XML requests for multipart upload operations, the application accepts and processes XML external entities, allowing an attacker to read local system files and potentially make outbound network connections. The vulnerability exists because the XML parser is configured to process external entities and DTD (Document Type Definition) declarations without proper restrictions. This allows an attacker to define external entities that can read local files and exfiltrate their contents through outbound HTTP requests. The vulnerability is particularly severe as it allows direct access to sensitive files on the filesystem, bypassing any directory traversal protections that might be in place for normal S3 operations. ## Steps to Reproduce 1. Create a malicious DTD file containing the fol...

## Description The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution. When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files. The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information. ## Steps to Reproduce 1. Create a bucket in the LocalS3 service using any S3...