Tag
#vulnerability
CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must…
This week, Joe encourages you to find your community in cybersecurity and make the effort to grow, network and hack stuff together.
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release `v1.8.1`, but the fix was not ported to the main branch and thus not present in releases `v1.9.0` ff. Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details. ### Impact * [Workload secrets](https://docs.edgeless.systems/contrast/1.11/architecture/secrets#workload-secrets) are visible to Kubernetes users with `get` or `list` permission on `pods/logs`, and thus need to be considered compromised. * Since workload secrets are used for [encrypted storage](https://docs.edgeless.systems/contrast/1.11/howto/encrypted-storage) and [Vault integration](https://docs.edgeless.systems/contrast/1.11/howto/vault), those need to be considered compromised, too. ### Patches Patches: * https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225 * https...
Miami, United States, 28th August 2025, CyberNewsWire
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version: - Volto 16: [16.34.0](https://github.com/plone/volto/releases/tag/16.34.0) - Volto 17: [17.22.1](https://github.com/plone/volto/releases/tag/17.22.1) - Volto 18: [18.24.0](https://github.com/plone/volto/releases/tag/18.24.0) - Volto 19: [19.0.0-alpha4](https://github.com/plone/volto/releases/tag/19.0.0-alpha.4) ### Workarounds Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime. ### Report The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).
FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context.
### Impact The PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in ``data/configuration.properties``), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export. XWiki shouldn't store passwords in plain text, and it shoul...
### Impact Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds None. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
### Impact If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. ### Patches Update to Contao 5.3.38 or 5.6.1. ### Workarounds Do not add protected news archives to the news feed page. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
### Impact Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. ### Patches Update to Contao 4.13.56, 5.3.38 or 5.6.1. ### Workarounds Disable the front end search. ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).