#vulnerability

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report.

### Impact The default macro content parser didn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The [cache](https://extensions.xwiki.org/xwiki/bin/view/Extension/Cache%20Macro) and [chart](https://extensions.xwiki.org/xwiki/bin/view/Extension/Chart%20Macro) macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this: ``` {{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}} ``` This vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2. ### Patches This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. ### Workarounds To avoid the exploitation of...

### Impact Attackers could: 1. Execute arbitrary commands on the server 2. Access sensitive environment variables 3. Escalate access depending on server configuration A critical vulnerability was discovered in LaRecipe that allows an attacker to perform Server-Side Template Injection (SSTI), potentially leading to Remote Code Execution (RCE) in vulnerable configurations. ### Patches Users are strongly advised to upgrade to version v2.8.1 or later.

### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

### Impact An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. > [!TIP] > If your instance allows everyone to create a user account, and you wish to truly restrict access to these user details, consider restricting user search to managers. You can find details on the newly introduced indico.conf setting [`ALLOW_PUBLIC_USER_SEARCH`](https://docs.getindico.io/en/stable/config/settings/#ALLOW_PUBLIC_USER_SEARCH) in our documentation. ### Patches You should to update to [Indico 3.3.7](https://github.com/indico/indico/releases/tag/v3.3.7) as soon as possible. See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update. ### Workarounds It is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the user...

A prompt-injection vulnerability in the AI assistant allows attackers to create messages that appear to be legitimate Google Security alerts but instead can be used to target users across various Google products with vishing and phishing.

Elon Musk’s Grok-4 AI was compromised within 48 hours. Discover how NeuralTrust researchers combined “Echo Chamber” and “Crescendo”…

### Impact There is an arbitrary code execution vulnerability in the `CsvEnumerator` class of the `job-iteration` repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. ### Patches Issue is fixed in versions `1.11.0` and above. ### Workarounds Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling `size` on enumerators constructed with untrusted CSV filenames.

Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.