#perl

Organisational culture, as we know it, isn’t built overnight. It takes shape over time through decisions, habits and…

Security researchers at Bitdefender have found two critical vulnerabilities (CVE-2025-31700, CVE-2025-31701) in popular Dahua security cameras, including the Hero C1 model.

### Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security (FLS) rules on fields which are not at the top level of the source document tree (i.e., which are members of a JSON object). If an FLS exclusion rule (like `~object`) is applied to an object valued attribute in a source document, the object is properly removed from the `_source` document in search and get results. However, any member attribute of that object remains available to search queries. This allows to reconstruct the original field contents using range queries. ### Patches The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3. ### Workarounds If FLS exclusion rules are used for object valued attributes (like `~object`), add an additional exclusion rule for the members of the object (like `~object.*`).

### Impact OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types `ip`, `geo_point`, `geo_shape`, `xy_point`, `xy_shape`. While the content of these fields is properly redacted in the `_source` document returned by search operations, the original unredacted values remain available to search queries. This allows to reconstruct the original field contents using range queries. Additionally, the content of fields of type `geo_point`, `geo_shape`, `xy_point`, `xy_shape` is returned in an unredacted form if requested via the `fields` option of the search API. ### Patches The issue has been resolved in OpenSearch 3.0.0 and OpenSearch 2.19.3. ### Workarounds If you cannot upgrade immediately, you can avoid the problem by using field level security (FLS) protection on fields of the affected types instead of field masking.

Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics.

### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources. The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints. Example Attack: * Configuration: `skip_auth_routes = [ "^/foo/.*/bar$" ]` * Intended behavior: Allow `/foo/something/bar` * Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar` Deployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query para...

The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. ### Impact This impacts GitLab Provider users who relies on group membership for authorization restrictions. Any authenticated users in your GitLab environment can access your application...

### Summary A log injection vulnerability was identified in `pyload` in API `/json/add_package`. This vulnerability allows user with add packages permission to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when creating new package using API `/json/add_package`. This entry will be in the form of `Added package 'NAME_OF_PACKAGE' containing 'NUMBER_OF_LINKS' links`. However, when supplied with the name of new package containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` We can now sign in as the pyload user who at least have add packages permissions. In my example, I will use the admin account to demonstrate this vulnerability. Now as an admin user, view the logs at `http://localhost:8000/logs` <img wi...

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.

#### **Overview** A critical vulnerability has been identified in the `tj-actions/branch-names` GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. #### **Technical Details** The vulnerability stems from the unsafe use of the `eval printf "%s"` pattern within the action's codebase. Although initial sanitization using `printf "%q"` properly escapes untrusted input, subsequent unescaping via `eval printf "%s"` reintroduces command injection risks. This unsafe pattern is demonstrated in the following code snippet: ```bash echo "base_ref_branch=$(eval printf "%s" "$BASE_REF")" >> "$GITHUB_OUTPUT" echo "head_ref_branch=$(eval printf "%s" "$...