#web

Newark, United States, 4th August 2025, CyberNewsWire

A list of topics we covered in the week of July 28 to August 3 of 2025

Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.  This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.

Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control.

The US DOJ has announced the largest-ever compensation process for human trafficking victims of Backpage. Learn about the $200M fund, who is eligible, and the steps to file a petition before the February 2, 2026, deadline. This comes years after the site's seizure, as previously reported by Hackread.com.

Plus: A former top US cyber official loses her new job due to political backlash, Congress is rushing through a bill to censor lawmakers’ personal information online, and more.

## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (`safe-eval`-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. A full blog post about how this vulnerability was uncovered can be found on [Socket's blog](https://socket.dev/blog/nestjs-rce-vuln). ## Details The `@nestjs/devtools-integration` package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, `/inspector/graph/interact`, accepts JSON input containing a `code` field and executes the provided code in a Node.js `vm.runInNewContext` sandbox. Key issues: 1. **Unsafe Sandbox:** The sandbox implementation closely resembles the abandoned `safe-eval` library. The No...

Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS) in the /projects/profile, homepage endpoint via the last name field.

Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users.