#vulnerability

### Impact The vulnerability is in the password change dialog in the back office. During the transition from v4 to v5 a mistake was made in the validation code which caused the validation of the previous password to not run as expected. This made it possible for a logged in user to change password in the back office without knowing the previous password. For example if someone logs in, leaves their workstation unlocked, and another person uses the same machine. ### Credit The issue was reported to us by Code-Rhapsodie. We thank them for their responsible disclosure! https://www.code-rhapsodie.fr/ ### Patches - See "Patched versions". - https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4 ### Workarounds None.

### Summary Zitadel's User Service discloses the total number of instance users to unauthorized users. ### Impact The ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the `totalResult` field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. ### Affected Versions Systems running one of the following version are affected: - **4.x**: `4.0.0-rc.1` through `4.7.1` - **3.x**: `3.0.0-rc.1` through `3.4.4` - **2.x**: `2.44.0` through `2.71.19` ### Patches The vulnerability has been addressed in the latest release. The patch resolves the issue and returns the `totalResult` value corresponding to the number of instance users for whom the querying user has read permission. - 4.x: Upgrade to >=[4.7.2](https://github.com/zitadel/zitadel/releases/tag/v4.7.2) - 3.x: ...

### Summary `redirect_url` is treated as safe when `url.Parse(...).IsAbs()` is false. Protocol-relative URLs like `//ikotaslabs.com` have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. ### Details - `url.Parse("//ikotaslabs.com")` => empty Scheme, Host="ikotaslabs.com". - `IsAbs()` returns false for `//ikotaslabs.com`, so the code treats it as allowed. - Browser resolves `//ikotaslabs.com` to current-origin scheme (e.g. `https://ikotaslabs.com`), enabling phishing flows after login. ### PoC 1. Send or visit: `http://localhost/login?redirect_url=//ikotaslabs.com` 2. Complete normal login flow. 3. After login the app redirects to `https://ikotaslabs.com` (or `http://` depending on origin). ### Acknowledgements This vulnerability was discovered using the automated vulnerability analysis tools **VulScribe** and **PwnML**. The research and tool development were conducted with support from the **MITOU Advanced Program (未踏アドバンスト事業)*...

The names of two partial owners of firms linked to the Salt Typhoon hacker group also appeared in records for a Cisco training program—years before the group targeted Cisco’s devices in a spy campaign.

Sysdig discovered North Korea-linked EtherRAT, a stealthy new backdoor using Ethereum smart contracts for C2 after exploiting the critical React2Shell vulnerability (CVE-2025-55182).

The update patches three zero-days and introduces a new PowerShell warning meant to help you avoid accidentally running unsafe code from the web.

### Summary The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. ### Vulnerable Code File: `coders/tim.c` ```c width=ReadBlobLSBShort(image); height=ReadBlobLSBShort(image); image_size=2*width*height; // Line 234 - NO OVERFLOW CHECK! ``` ### Impact This vulnerability can lead to Arbitrary Memory Disclosure due to an out of bounds read on 32-bit systems.

### Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution. ### Patches This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2) can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special