#auth

The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated stored cross-site scripting (XSS) vulnerability. This can be exploited by uploading a malicious .txt file containing an XSS payload, which is stored on the server and served back to users. Although the filename is sanitized via the filename POST parameter, the file contents are not inspected or sanitized, allowing attackers to inject arbitrary client-side scripts that execute in the context of any user accessing the infected file or related web page (license.php). To bypass file upload checks, the request must include the Variant string, enabling the upload process for potential exploitation.

SUMMARY Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed…

Since 2019, MirrorFace has been stealing information from myriad Japanese organizations to gain leverage over Japan in the event of hostilities between the two countries, experts said.

The most recent iteration of the open source infostealer skates by antivirus programs on Macs, using an encryption mechanism stolen from Apple's own antivirus product.

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.

An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.

The attack used a stolen remote support SaaS API key to exfiltrate data from workstations in the Treasury Department's Office of Foreign Assets Control.

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

**Vulnerability Summary** A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay `node` interface. **Affected Components** - Strawberry GraphQL relay integration - Specifically impacts implementations using: - Django integration - SQLAlchemy integration - Pydantic integration **Technical Details** The vulnerability manifests when: 1. Multiple GraphQL types inherit from `relay.Node` 2. These types are mapped to the same database model 3. The global `node` field is used for type resolution Example of vulnerable code: ```python from fruits.models import Fruit import strawberry_django import strawberry @strawberry_django.type(Fruit) class FruitType(relay.Node): name: strawberry.auto @strawberry_django.type(Fruit) class SpecialFruitType(relay.Node): secret_name: ...