#vulnerability

## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten: ```js class Vector { constructor(x, y) { this.x = x; this.y = y; } get magnitude() { return (this.x ** 2 + this.y ** 2) ** 0.5; } } const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`; const vector = devalue.parse(payload, { Vector: ([x, y]) => new Vector(x, y) }); console.log("Is vector", vector instanceof Vector); // true console.log(vector.x) // 3 console.log(vector.y) // 4 console.log(vector.magnitude); // "nope" instead of 5 ``` ## 2. `devalue.parse` allows array prototype methods to be assigned to object In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values: ```js devalue.stringify({ message: 'hel...

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension.

Researchers say the huge spike of coordinated scanning for Microsoft RDP services could indicate the existence of a new, as-yet-undisclosed vulnerability.

### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).

Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild. The vulnerabilities in question are listed below - CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow

### Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. ### Patch This vulnerability has been fixed in the following pull request: https://github.com/traPtitech/traQ/pull/2787 It is possible that OAuth tokens issued before the patch was applied have already been recorded in the logs. To completely eliminate the security risk, server administrators are strongly recommended to revoke all existing OAuth tokens. ### Workaround If you cannot apply the update immediately, as a temporary workaround, please review access permissions for SQL error logs and strictly limit access to prevent unauthorized users from viewing them.

### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. Other affected methods are: `html`. Example payload: ```js import { jsPDF } from "jpsdf" const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154]) const doc = new jsPDF(); const startTime = performance.now(); try { doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW"); } finally { const endTime = performance.now(); console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`); } ``` ### Patches The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2. In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops. ### Workarounds Sanitize image data or URLs before passing it to the a...

## Summary A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString` without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. <br> ## Details ### root cause ``` MagickExport size_t InterpretImageFilename(const ImageInfo *image_info, Image *image,const char *format,int value,char *filename, ExceptionInfo *exception) { ... while ((cursor=strchr(cursor,'%')) != (const char *) NULL) { const char *q = cursor; ssize_t offset = (ssize_t) (cursor-format); cursor++; /* move past '%' */ if (*cursor == '%') { /* Escaped %%. */ cursor++; continue; } /* Skip padding digits like %03d. */ if (isdigit((int) ((unsigned char) *cursor)) != 0) (void) strtol(cursor,(char **) &cursor,10); switch (*cursor) ...

The application constructs a shell command using unsanitized user input passed to the system() function, calling an external binary for authentication. Due to improper input handling and reliance on the binary's return value for access control, an attacker can inject special characters, such as a double quote (") to manipulate command parsing and induce execution failure. Since the application interprets any non-zero exit code from the binary as successful authentication, this flaw allows remote users to bypass authentication entirely without providing valid credentials.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon M340 and Communication Modules Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon M340: All versions BMXNOR0200H Ethernet/Serial RTU Module: All versions BMXNGD0100 M580 Global Data module: All versions BMXNOC0401 Modicon M340 X80 Ethernet Communication modules: All versions BMXNOE0100 Modbus/TCP Ethernet Modicon M340 module: Versions prior to 3.60 BMXNOE0110 Modbus/TCP Ethernet Modicon M340 FactoryCast module: Versions prior to 6.80 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Improper Input Validation vulnerability exists that could cause a Denial-of-Service when specially crafted FTP com...