#auth

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The

An authenticated system user at the root, namespace, or database levels can use the `DEFINE ANALYZER` statement to point to arbitrary file locations on the file system, and should the file be tab separated with two columns, the analyzer can be leveraged to exfiltrate the content. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment. ### Impact Limited to unauthorised access to 2 column TSV files on the file system ### Patches A patch has been created that introduces a new environment variable, `SURREAL_FILE_ALLOWLIST` , which contains a list of allowed file paths. When a mapping file is processed, the mapper checks if the file’s path is within one of the allowed paths. - Versions 2.1.5, 2.2.2 and later are not affected by this issue. ### Workarounds Users unable to update may want to limit those with root, namespace, or database leve...

In order to prevent DoS situations due to infinite recursions, SurrealDB implements a limit of nested calls for both native functions and embedded JavaScript functions. However, in SurrealDB instances with embedded scripting functions enabled, it was found that this limit can be circumvented by utilizing both at the same time. If a native function contains JavaScript which issues a new query that calls that function, the recursion limit is not triggered. Once executed, SurrealDB will follow the path of infinite recursions until the system runs out of memory, prior to the recursion limit being triggered. This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with `--allow-scripting` or `--allow-all` and equivalent environment variables `SURREAL_CAPS_ALLOW_SCRIPT=true` and `SURREAL_CAPS_ALLOW_ALL=true`. This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53'...

A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint. ### Impact This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector. ### Patches A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries ...

Managing permissions and authorizations across dozens or hundreds of cloud services and platforms poses significant headaches for companies. An open specification aims to change that.

### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was originally disclosed in https://www.silverstripe.org/download/security-releases/ss-2017-005/ for CMS 3 but was not patched in CMS 4+ ### References - https://www.silverstripe.org/download/security-releases/ss-2017-005 - https://www.silverstripe.org/download/security-releases/ss-2025-001

Mattermost versions 9.11.x <= 9.11.8  fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.

Authorities arrest 5 Smokeloader botnet customers after Operation Endgame; evidence from seized data links customers to malware, ransomware, and more.

China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.

Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.