#vulnerability

ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…

The company behind the Signal clone used by at least one Trump administration official was breached earlier this month. The hacker says they got in thanks to a basic misconfiguration.

**Overview** Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using laravel-auth0 SDK with version <=7.16.0 2. laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore. **Fix** Upgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

**Overview** Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0 WordPress Plugin with version <=5.2.1 2. Auth0 WordPress Plugin uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore. **Fix** Upgrade Auth0/wordpress plugin to v5.3.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

**Overview** Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0 symfony SDK with version <=5.3.1 2. Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore. **Fix** Upgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

The beginning of Pwn2Own Berlin 2025, hosted at the OffensiveCon conference, has concluded its first two days with…

**Overview** Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. **Am I Affected?** You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, 2. Session storage configured with CookieStore. **Fix** Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. **Acknowledgement** Okta would like to thank Félix Charette for discovering this vulnerability.

### Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. ### Patches Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection. Examples: ``` FAB_SAFE_REDIRECT_HOSTS = ["yourdomain.com", "sub.yourdomain.com", "*.yourcompany.com"] ``` ### Workarounds Use a Reverse Proxy to Enforce Trusted Host Headers ### References _Are there any links users can visit to find out more?_

Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote…

seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_store.go.