#auth

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

### Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/15102. ### References Thanks to [micael1](https://hackerone.com/micael1) for reporting this [issue at HackerOne](https://hackerone.com/reports/3179850).

### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

European law enforcement agencies have dismantled Archetyp Market, a long-running dark web platform used primarily for drug sales,…

Making sure your Kubernetes environment is secure and compliant is a critical, ongoing challenge, especially for enterprise workloads in the hybrid cloud. To help you meet security requirements with greater confidence and efficiency, we’ve just rolled out key updates to Red Hat Advanced Cluster Security for Kubernetes Cloud Service. This latest release helps significantly strengthen your security posture with newly added industry-standard certifications, including ISO 27001 and PCI DSS 4.0, and deeper integration with key AWS services. These enhancements are designed to streamline compliance

Hackers leak data of 10,000 VirtualMacOSX customers in alleged breach, exposing names, emails, passwords, and financial details on a hacking forum.

Plus: Spyware is found on two Italian journalists’ phones, Ukraine claims to have hacked a Russian aircraft maker, police take down major infostealer infrastructure, and more.

Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities. Credit: Rémy Marot <[email protected]>

### Impact Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. The detailed reproduction steps can be found in the [original bug report](https://jira.xwiki.org/browse/XWIKI-22719). ### Patches This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3. ### Workarounds Restricting edit rights on all existing App Within Minutes applications to trusted users mitigates at least the PoC exploit, but we can't exclude that there are other ways to exploit this vulnerability.