#auth

### Impact Protected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639). ### Patches The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. ### Workarounds There's no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-server` and recompiling / rebuilding it. ### References * Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630 * Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639 * Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8...

### Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. ### Patches The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1. ### Workarounds There's no workaround. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22640 * Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e ### For more information If you have any questions or comments about this advisory: * Open an issue in [Ji...

A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop leading to a panic when accessing a non-existing field in the ClusterDeployment’s status section, resulting in a denial of service.

Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of publication of this advisory, there is no fix.

About Spoofing – Windows File Explorer (CVE-2025-24071) vulnerability. The vulnerability is from the March Microsoft Patch Tuesday. The VM vendors didn’t highlight it in their reviews. A week later, on March 18, researcher 0x6rss published a write-up and a PoC exploit. According to him, the vulnerability is exploited in the wild, and the exploit has […]

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. ### Impact - Users can exploit this flaw to receive products/services without paying the full amount. - Merchants may suffer financial losses due to underpaid orders. - Trust in the integrity of the payment process is compromised. ### Patches The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above. ### Workarounds To resolve the problem in the end application without updating to the newest patches, there is a need to overwrite `PayPalOrderCompleteProcessor` w...

### Summary When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. ### Details 1. Pickle deserialization vulnerabilities are [well documented](https://docs.python.org/3/library/pickle.html). 2. The [mooncake pipe](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L206) is exposed over the network (by design to enable disaggregated prefilling across distributed environments) using ZMQ over TCP, greatly increasing exploitability. Further, the mooncake integration opens these sockets listening on all interfaces on the host, meaning it can not be configured to only use a private, trusted network. 4. The root problem is [`recv_tensor()`](https://github.com/vllm-project/vllm/blob/9bebc9512f9340e94579b9bd69cfdc452c4d5bb0/vllm/distributed/kv_transfer/kv_pipe/mooncake_pipe.py#L25...

### Summary The `fast-jwt` library does not properly validate the `iss` claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9. #### Details The `iss` (issuer) claim validation within the fast-jwt library permits an array of strings as a valid `iss` value. This design flaw enables a potential attack where a malicious actor crafts a JWT with an `iss` claim structured as `['https://attacker-domain/', 'https://valid-iss']`. Due to the permissive validation, the JWT will be deemed valid. Furthermore, if the application relies on external libraries like `get-jwks` that do not independently validate the `iss` claim, the attacker can leverage this vulnerability to forge a JWT that will be accepted by the victim application. Essentially, the attacker can insert their own domain into the `iss` array, alongside the legitimate issuer, and bypass the intended security checks. #### PoC Take a server running the following code: ```js const express = require('express') const ...

Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.