#git

### Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. ### Patches SAK-49866 is patched in Sakai 23.5, 25.0, and trunk. ### Credits - Reported by [Suraj Gangwar](https://www.linkedin.com/in/surajgangwar?trk=contact-info). - Patched by Sam Ottenhoff (Longsight).

### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. ### Patches This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3). ### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3502](https://github.com/py-pdf/pypdf/pull/3502).

### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. ### Patches This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3). ### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3501](https://github.com/py-pdf/pypdf/pull/3501).

# Description - In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS. - Affected Code: - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java` - Lines: - 709–713: `normalizedDir` is constructed without escaping - 714–731: `<li><a ...>` elements insert file names directly into attributes and body without escaping - 744: parent directory name construction - 746–751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping # Reproduction Steps 1. Prerequisites: - Directory listing is enabled using `StaticHandler` (e.g., `StaticHandler.create("p...

# Description There is a flaw in the hidden file protection feature of Vert.x Web’s `StaticHandler` when `setIncludeHidden(false)` is configured. In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (`.`) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases: - **Files under hidden directories**: For example, `/.secret/config.txt` — although `.secret` is a hidden directory, the file `config.txt` itself does not start with a dot, so it gets served. - **Real-world impact**: Sensitive files placed in hidden directories like `.git`, `.env`, `.aws` may become publicly accessible. As a result, the behavior does not meet the expectations set by the `includeHidden=false` configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information. # Steps to Reproduce ```bash 1. Prepare test environment # Create di...

### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacted the following subsystems: - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs. - When using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. Third-party plugins may be affected. ### Patches OpenBao v2.4.2 will patch this issue. ### Workarounds If users do not use the above functionality, they are not impacted. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use.

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada's anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus's Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.

The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities. The end goal of the campaign is to infiltrate high-value targets and facilitate intelligence gathering

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2). The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee

### Summary The client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. ### Details It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. Related to CVE-2019-2503. ### PoC First, start up a rogue MySQL server that ignores client-side flags and sends LOAD_LOCAL packet to the client – tested with https://github.com/rmb122/rogue_mysql_server 1. Create a file to be stolen by the rogue server: `echo "gotcha" > /tmp/my_secret_file.txt` 2. Clone the repo: `git clone git@github.com:rmb122/rogue_mysql_server.git && cd rogue_mysql_server` 3. Build the server: `make rogue_mysql_server` 4. Generate a sample config: `rogue_mysql_server -generate` 5. In `config.yaml` change `file_list` to `["/tmp/my_secret_file.txt"]` 6. Run the server: `./rogue_mysql_server -config c...