Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-qww7-89xh-x7m7: XWiki configuration files can be accessed through the webjars API

### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg`. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path. ### Patches This has been patched in 17.4.0-rc-1, 16.10.7. ### Workarounds There is no known workaround, other than upgrading XWiki. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

ghsa
Open in Source
#vulnerability#web#auth#jira
Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps

Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting…

Governance-Driven Automation: How Flowable Is Redefining Digital Process Management

A newly published independent research report highlights Flowable’s rise in the digital process automation market. Built on open-source…

Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting,

What Is a Passkey? Here’s How to Set Up and Use Them (2025)

Passkeys were built to enable a password-free future. Here's what they are and how you can start using them.

Misconfigured Server Leaks 378GB of Navy Federal Credit Union Files

Cybersecurity researcher Jeremiah Fowler discovered an unsecured and misconfigured server exposing 378 GB of internal Navy Federal Credit…

Fake AnyDesk Installer Spreads MetaStealer Through ClickFix Scam

A new and clever ClickFix scam is using a fake AnyDesk installer and Windows search to bypass security,…

Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "

Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations

Salesloft on Tuesday announced that it's taking Drift temporarily offline "in the very near future," as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. "This will provide the fastest path forward to comprehensively review the application and build

Cloudflare Confirms Data Breach Linked to Salesforce and Salesloft Drift

Cloudflare confirms a Salesforce-linked data breach via Salesloft Drift, exposing customer support case data but leaving core systems…