#git

After a sudden internet cable break between Finland and Estonia, authorities have seized the cargo ship Fitburg. With two crew members arrested and sanctioned steel found on board, investigators are now probing if this was an accident or a deliberate act of hybrid warfare.

This article has been updated with a statement from Resecurity. A separate, updated article covering the incident has…

RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites.

Being targeted by sophisticated spyware is relatively rare, but experts say that everyone needs to stay vigilant as this dangerous malware continues to proliferate worldwide.

The world of finance has undergone a remarkable transformation with the rise of digital wallets and financial technology…

## Security Advisory: Stored XSS Leading to Admin Account Takeover **Affected Versions:** ≤ 5.1.0 **Vulnerability Type:** CWE-79: Stored Cross-Site Scripting --- ## Summary A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required. --- ## Required Attacker Permissions ``` campaigns:manage - Create/edit campaigns campaigns:get - View campaigns lists:get_all - Access lists templates:get - Access templates ``` **Note:** These are common permissions for content managers who are not full admins. --- ## Attack Vectors ### Vector 1: Raw HTML (Direct ...

### Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. ### Details 1. Go to `http://127.0.0.1:8000/` and login or signup 2. Go to `http://127.0.0.1:8000/customer/account/profile` 3. Now edit the first name and last name to {{7*7}} 4. Notice it appears as 49 ### POC - Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912 ### Impact This can lead to RCE, command injection.

### Summary SSTI when normal customer orders any product in add address step can inject value run in admin view. ### Details `As normal user` 1. Go to `http://127.0.0.1:8000/` 2. Add order to cart and continue to checkout 3. In step of add address inject this value {{7*7}} in any input `As admin` 1. Go to `http://127.0.0.1:8000/admin/sales/orders` 2. And notice the vlaue appear in admin view 49 `As normal user` 3. Go to add address normally `http://127.0.0.1:8000/customer/account/addresses/create` and inject {{7*7}} on it and will notice it appear 49 <img width="1868" height="868" alt="image" src="https://github.com/user-attachments/assets/279627e9-6361-4d39-a500-0fc20e163d25" /> ### PoC - Video attached with the report: https://github.com/user-attachments/assets/a814b30c-a3e2-4a40-8644-336e21e60d0d ### Impact - Can lead to RCE

### Summary SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations. ### Details 1. Go to `http://127.0.0.1:8000/admin/reporting/products/view?type={{7*7}}` <img width="1251" height="282" alt="image" src="https://github.com/user-attachments/assets/652e96f4-631e-4322-8561-63f4d897a480" /> ### Impact Can lead to RCE, command injection.

### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. ### Details Bagisto’s CMS editor includes an HTML sanitation mechanism intended to protect against script injection by wrapping raw script content in `<div>` elements. However, this mechanism is applied only to requests submitted through the UI. When the CMS update request is intercepted and modified at the HTTP level, the sanitation layer fails to strip or encode embedded `<script>` tags. Because the back-end trusts the manipulated request, the malicious scri...