#auth

INTERPOL disrupts 20,000 infostealer domains in major cybercrime crackdown across Asia-Pacific, 32 arrested, 216K victims notified in Operation Secure.

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

AppOmni research reveals over 20 security vulnerabilities, including zero-days, in the Salesforce Industry Cloud. Learn about critical risks, customer responsibilities, and how to protect sensitive data.

Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. "Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface," the U.S. Cybersecurity and Infrastructure

Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WEBDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”

The flaw allows an authenticated attacker to gain complete control over a Roundcube webmail server.

Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.

### Impact Files uploaded by users to Nautobot's `MEDIA_ROOT` directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. For DeviceType image attachments, a mitigating factor is that no URL endpoint exists for listing the contents of the `devicetype-images/` subdirectory, and the file names are as specified by the uploading user, so any given DeviceType image attachment can only be retrieved by correctly guessing its file name. Similarly, for all other image attachments, while the images *can* be listed by accessing the `/api/extras/image-attachments/` endpoint *as an authenticated user only*, absent that authenticated access, accessing the files would again require guessing file names correctly. ### Patches Nautobot v2.4.10 and v1...

### Summary Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint. ### Mitigation To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith). ### Resolution The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services. ### References * [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthenticated SSRF via TestWfsPost