#auth

### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. ### Details The vulnerability arises from insufficient sanitization in the Block Editor interface when processing JSON content containing HTML elements. The attack requires two permissions: - `upload files` - To upload malicious JavaScript files - `edit item` - To create or modify content with the Block Editor **Attack Vector:** 1. **JavaScript File Upload**: Attackers upload a malicious JavaScript file via the files endpoint, obtaining a file ID accessible through the assets directory 2. **Block Editor Exploitation**: Using a JSON field with Block Editor interface, attackers inject raw HTML containing an iframe with srcdoc ...

### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. ### Details When a field is removed from a collection, its reference in the permissions table remains intact. This stale reference creates a security gap: if another field is later created using the same name, it inherits the outdated permission entry. This behavior can unintentionally grant roles access to data they should not be able to read or modify. The issue is particularly risky in multi-tenant or production environments, where administrators may reuse field names, assuming old permissions have been fully cleared. 1. Create a collection named test_collection. 2. Add a field called secret_field. 3. Assign a role with read permissions specifically tied to secret_field. 4. Remove the secret_field from the collection. 5. Create a ne...

### Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITADEL even if the corresponding IdP was not active or if the organization did not allow federated authentication. ### Impact This vulnerability stems from the platform's failure to correctly check or enforce an organization's specific security settings during the authentication flow. An Organization Administrator can explicitly disable an IdP or disallow federation, but this setting was not being honored during the auto-linking process. This allowed an unauthenticated attacker to initiate a login using an IdP that should have been disabled for that organization. The platform would incorrectly validate the login and, based on a matching criteria, link the attacker's external identity to an existing internal user account. This may result in a full Account Takeover, bypassing the organization's mandated security controls. Note that accounts wi...

### Summary Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password) An authenticated user is allowed to change their account password without supplying the current password or any additional verification. The application does not verify the actor’s authority to perform that credential change (no current-password check, no authorization enforcement). An attacker who is merely authenticated (or who can trick or coerce an authenticated session) can set a new password and gain control of the account. (ATO - Account Takeover) ### Details Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L278 Remote and physical scenarios can be considered. ### PoC **Repro steps:** 1. As logged in user https://cloud.flowiseai.com/account scroll down to 'Security' section 2. Change password to the new password 3. Notice Unverified Password Change (authenticated change without current password) **P...

### Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the account email address (used as a login identifier and/or password recovery address) without verifying the requester’s authority to make that change (no confirmation to the old email, no authentication step). Because email often functions as a credential or recovery channel, unverified email changes enable attackers to take over accounts by switching the account’s recovery/login address. ### Details Occurence - code: https://github.com/FlowiseAI/Flowise/blob/main/packages/ui/src/views/account/index.jsx#L211 Remote and physical scenarios can be considered. ### PoC **Repro steps:** 1. As logged in user https://cloud.flowiseai.com/account scroll down to 'Profile' section 2. Change email to the new email 3. Notice Unverified Password Change (authenticated change without current password) Later this email is needed as credentials to log in or...

### Summary Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure). ### Details After a user changes their password, the application does not invalidate other active sessions or session tokens that were established before the change. An attacker who already has an active session (e.g., via a stolen session token, device left logged in, or other access) continues to be authenticated even after the legitimate user rotates credentials, allowing the attacker to retain access despite the user’s password change. ### PoC **Repro steps:** 1. As logged in user on two browsers (ie. Chrome and Firefox, with incognito/private mode) https://cloud.flowiseai.com/account change password, on the Chrome for example 2. Refresh the site on Firefox (second browser) - notice that still logged in (despite credentials were changed) **POC:** Steps described above (in Repro steps) completed successfully. ### Impact Persistent unauthorized access despi...

### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address. ### PoC 1. Log in to a Shopware account. 2. Request a password reset for your current email address. 3. Copy the password reset link but do not open it. 4. Log back into your account.n 5. Navigate to Account Settings → Email and change your email address. 6. Use the previously copied reset link (from before the email change). 7. The system allows password change using the old link. ### Impact Reproduced on Stable 6.6.10.7 and trunk.

## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuration, the server trusts the `template` cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain RCE. ## Affected versions PrivateBin versions since 1.7.7. ## Conditions - `templateselection` got enabled in `cfg/conf.php` - Visitor sets a cookie `template` pointing to an existing PHP file without it's suffix, using a path relative to the `tpl` folder. Absolute paths do not work. ## Impact The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropr...

A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds.

npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.