#git

### Summary `redirect_url` is treated as safe when `url.Parse(...).IsAbs()` is false. Protocol-relative URLs like `//ikotaslabs.com` have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. ### Details - `url.Parse("//ikotaslabs.com")` => empty Scheme, Host="ikotaslabs.com". - `IsAbs()` returns false for `//ikotaslabs.com`, so the code treats it as allowed. - Browser resolves `//ikotaslabs.com` to current-origin scheme (e.g. `https://ikotaslabs.com`), enabling phishing flows after login. ### PoC 1. Send or visit: `http://localhost/login?redirect_url=//ikotaslabs.com` 2. Complete normal login flow. 3. After login the app redirects to `https://ikotaslabs.com` (or `http://` depending on origin). ### Acknowledgements This vulnerability was discovered using the automated vulnerability analysis tools **VulScribe** and **PwnML**. The research and tool development were conducted with support from the **MITOU Advanced Program (未踏アドバンスト事業)*...

The names of two partial owners of firms linked to the Salt Typhoon hacker group also appeared in records for a Cisco training program—years before the group targeted Cisco’s devices in a spy campaign.

The update patches three zero-days and introduces a new PowerShell warning meant to help you avoid accidentally running unsafe code from the web.

### Summary The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. ### Vulnerable Code File: `coders/tim.c` ```c width=ReadBlobLSBShort(image); height=ReadBlobLSBShort(image); image_size=2*width*height; // Line 234 - NO OVERFLOW CHECK! ``` ### Impact This vulnerability can lead to Arbitrary Memory Disclosure due to an out of bounds read on 32-bit systems.

### Impact Any user who can edit their own user profile or any other document can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The reason is that rendering output is included as content of HTML macros with insufficient escaping, and it is thus possible to close the HTML macro and inject script macros that are executed with programming rights. To demonstrate, the content `{{html}}{{/html {{/html}}}}` can be inserted into any field of the user profile that supports wiki syntax like the "About" field. If this leads to the display of raw HTML, the instance is vulnerable. ### Patches This problem has been patched by extending the escaping introduced by [XRENDERING-693](https://jira.xwiki.org/browse/XRENDERING-693) to also cover closing HTML macros that have spaces after the macro name in XWiki 16.10.10, 17.4.3 and 17.6.0RC1. A [similar fix](https://github.com/xwiki/xwik...

### Impact XWiki's REST API doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the `/rest/wikis/xwiki/spaces` resource returns all spaces on the wiki by default, which are basically all pages. ### Patches XWiki 17.7.0RC1, 17.4.4 and 16.10.11 introduce a configurable limit, limiting responses to 1000 items by default. Requesting larger limits leads to an error now. ### Workarounds We're not aware of any workaround, except denying access to the affected REST resources in a proxy in front of XWiki.

### Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution. ### Patches This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2) can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

GhostFrame uses dynamic subdomains and hidden iframes to help attackers slip past basic security tools.

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation