Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-7f2v-3qq3-vvjf: Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable

## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window` 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - If using latest Vega line (6.x) - `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode) - If using Vega in a non-ESM environment - ( `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode) ## Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading_ - Do not attach `vega` View instances to global variables, as Vega editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5...

ghsa
Open in Source
#xss#vulnerability#js#git#java#auth
GHSA-8wj8-cfxr-9374: AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. AWS recommends that customers upgrade to the following version: AWS NodeJS Wrapper to v2.0.1. ### Source of Vulnerability Report: Allistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com) ### Affected products & versions: AWS NodeJS Wrapper < 2.0.1. ### Platforms: MacOS/Windows/Linux

GHSA-7wq2-32h4-9hc9: AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. AWS recommends customers upgrade to the following versions: AWS Go Wrapper to 2025-10-17. ### Source of Vulnerability Report: Allistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com) ### Affected products & versions: AWS Go Wrapper < 2025-10-17. ### Platforms: MacOS/Windows/Linux

GHSA-7xw4-g7mm-r4hh: Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. AWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater. ### Source of Vulnerability Report: Allistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com) ### Affected products & versions: AWS JDBC Wrapper < 2.6.5 ### Platforms: MacOS/Windows/Linux

GHSA-4jvf-wx3f-2x8q: AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. AWS recommends customers upgrade to the following versions: AWS Python Wrapper to v1.4.0 ### Source of Vulnerability Report: Allistair Ishmael Hakim <allistair.hakim@gmail.com> ### Affected products & versions: AWS Python Wrapper < 1.4.0 ### Platforms: MacOS/Windows/Linux

How Adversaries Exploit the Blind Spots in Your EASM Strategy

Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure…

GHSA-mqcj-8c2g-h97q: Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

GHSA-7m9g-pmxf-m9m8: Keycloak allows Binding to an Unrestricted IP Address

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine.

Ilevia EVE X1/X5 Server 4.7.18.0.eden Authenticated Remote Command Injections

The EVE X1/X5 server suffers from multiple authenticated OS command injection vulnerabilities. This can be exploited to inject and execute arbitrary shell commands through multiple scripts affecting multiple parameters.

Operation Endgame Hits Rhadamanthys, VenomRAT, Elysium Malware, seize 1025 servers

Europol-led Operation Endgame seizes 1,025 servers and arrests a key suspect in Greece, disrupting three major global malware and hacking tools, including Rhadamanthys, VenomRAT and Elysium botnet.