#auth

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decrypting the cookie itself. This is known as an AES CBC bit flipping attack.

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Scammers set up call centers in luxury rentals to run bank help-desk fraud, as well as large-scale phishing campaigns, across at least 10 European countries, according to law enforcement.

## Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. * `_default/_markup/render-link.html` from `v0.123.0` * `_default/_markup/render-image.html` from `v0.123.0` * `_default/_markup/render-table.html` from `v0.134.0` * `shortcodes/youtube.html` from `v0.125.0` ## Patches Patched in v0.139.4. ## Workarounds Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault ## References * https://github.com/gohugoio/hugo/releases/tag/v0.139.4 * https://gohugo.io/about/security/

### Impact Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service. Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case performance is reached. Sending multiple such requests in parallel could tie up all available CPU resources and/or PHP-FPM processes, leading to denial of service for legitimate users. ### Patches These vulnerabilities have been patched in version 2.6.0. All users on older versions are highly encouraged to upgrade as soon as possible. ### Workarounds If you cannot upgrade, you may be able to mitigate the issues by: - Setting very low `memory_limit` and `max_execution_time` PHP configurations to prevent runaway resource usage - Implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site - Limiting the size of inputs f...

### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. ### Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users. ### PoC 1. Start directus with ```bash WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public ``` 2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) ```gql subscription { directus_users_mutated { key event data { id email first_name last_name p...

The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. ### Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitize the pasted content. If using Trix 1.x, upgrade to version 1.3.3 or later. ### Mitigations This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure th...