Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-49v8-p6mm-3pfj: Vipshop Saturn Console Vulnerable to SQL Injection via ClusterKey Component

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

ghsa
Open in Source
#sql#vulnerability#web#auth
79 Arrested as Dark Web’s Largest Child Abuse Network ‘Kidflix’ Busted

Dark web child abuse hub ‘Kidflix’ dismantled in global operation. 1.8M users, 91,000+ CSAM videos exposed. 79 arrests, 39 children rescued.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

GHSA-mqqg-xjhj-wfgw: Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

### Impact Since [v2.0.25](https://github.com/miniflux/v2/releases/tag/2.0.25), Miniflux will automatically [proxy](https://miniflux.app/docs/configuration.html#proxy-images) images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is [returned](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76) unescaped without the expected Content Security Policy [header](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90) added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. ...

GHSA-3qjf-qh38-x73v: Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

### Impact An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` [configuration option](https://miniflux.app/docs/configuration.html#metrics-collector) is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). ### Patches PR #1745 fixes the problem. Available in Miniflux >= 2.0.43. ### Workarounds Set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy. ### References - https://miniflux.app/docs/configuration.html#metrics-collector - https://miniflux.app/docs/configuration.html#metrics-allowed-networks

GHSA-x9hj-q7xv-fv4v: Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.

GHSA-wr6w-jxg7-qpfh: Jenkins Missing Permission Check

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. This is due to an incomplete fix of [SECURITY-3495](https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495)/CVE-2025-27622. Jenkins 2.504, LTS 2.492.3 requires Computer/Configure permission to copy an agent containing secrets.

GHSA-hcfh-qjcp-34q9: Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

GHSA-2wxq-944j-5g2v: Jenkins Stack Hammer Plugin Stores API Keys Unencrypted in Job `config.xml` Files

Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

GHSA-g65g-fmcp-4w68: Jenkins monitor-remote-job Plugin Stores Passwords Unencrypted

Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.