Tag
#git
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ## Affected Endpoints - `POST /admin/actions/app/migrate` (unauthenticated) - `POST /admin/actions/updater/backup` ## Vulnerability Details ### Root Cause Certain admin actions are explicitly configured with anonymous access: ```php // AppController.php protected array|bool|int $allowAnonymous = [ 'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE, // ... ]; // BaseUpdaterController.php protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_L...
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. References: https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821...
Security experts at Zenity Labs warn that Anthropic’s new agentic browser extension, Claude in Chrome, could bypass traditional web security, exposing private data and login tokens to potential hijackers.
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. References: https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 --- ### Requi...
The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. "This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025," the 360 Threat Intelligence Center said in
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
### Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are: `addImage`, `html`, `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. Example attack vector: ```js import { jsPDF } from "./dist/jspdf.node.js"; const doc = new jsPDF(); doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10); doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file ``` ### Patches The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. ### Workaro...
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.ac...
### Summary In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling. | CVE ID | Impacted Package | Severity | Description & Impact on flagd | | -- | -- | -- | -- | | CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. | | CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAddress. Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parses email-formatted metadata. | | CVE-2025-61723 | encoding/pem | 7.5 (High) | DoS: Quadratic complexity when parsing invalid PEM inputs. Relevant if flagd loa...
### Summary Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. ### PoC ``` import msgpack import struct imp...