Tag
#vulnerability
### Summary A denial-of-service (DoS) vulnerability in OpenDJ has been discovered that causes the server to become unresponsive to all LDAP requests without crashing or restarting. This issue occurs when an alias loop exists in the LDAP database. If an `ldapsearch` request is executed with alias dereferencing set to "always" on this alias entry, the server stops responding to all future requests. I have confirmed this issue using the latest OpenDJ version (9.2), both with the official OpenDJ Docker image and a local OpenDJ server running on my Windows 10 machine. ### Details An unauthenticated attacker can exploit this vulnerability using a single crafted `ldapsearch` request. Fortunately, the server can be restarted without data corruption. While this attack requires the existence of an alias loop, I am uncertain whether such loops can be easily created in specific environments or if the method can be adapted to execute other DoS attacks more easily. ### PoC (Steps to Reproduce) 1. ...
### Summary An arbitrary file upload vulnerability was identified in the redaxo. This flaw permits users to upload malicious files, which can lead to JavaScript code execution and distribute malware. ### Details On the latest version of Redaxo, v5.18.2, the mediapool/media page is vulnerable to arbitrary file upload. ### PoC 1. Log in to the portal then navigate to `Mediapool`. 2. Upload a png file (ex: poc.png)  3. Intercept the upload HTTP request on burp suite and change `filename: poc.1html`, `Content-Type:image/html` and insert the malicious html code. (ex: `<IFRAME SRC="javascript:alert(1);"></IFRAME>`)  4. Forward the request. 5. Navigate to the file.   when a `tracestate` and `traceparent` header is received. * Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. * This issue impacts any application accessible over the web or backend services that process HTTP requests containing a `tracestate` header. * Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This issue has been <strong data-start="1143" data-end="1184">resolved in OpenTelemetry.Api 1.11.2</strong> by <strong data-start="1188" data-end="1212">reverting the change</strong> that introduced the problematic behavior in versions <strong data-start="1266" data-end="1286">1.10....
Microsoft warns that Chinese espionage group Silk Typhoon now exploits IT tools like remote management apps and cloud services to breach networks.
The Justice Department claims 10 alleged hackers and two Chinese government officials took part in a wave of cyberattacks around the globe that included breaching the US Treasury Department and more.
Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.
The rapid adoption of cloud services, SaaS applications, and the shift to remote work have fundamentally reshaped how enterprises operate. These technological advances have created a world of opportunity but also brought about complexities that pose significant security threats. At the core of these vulnerabilities lies Identity—the gateway to enterprise security and the number one attack vector
Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.