#auth

The flaw allows an authenticated attacker to gain complete control over a Roundcube webmail server.

Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.

### Impact Files uploaded by users to Nautobot's `MEDIA_ROOT` directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. For DeviceType image attachments, a mitigating factor is that no URL endpoint exists for listing the contents of the `devicetype-images/` subdirectory, and the file names are as specified by the uploading user, so any given DeviceType image attachment can only be retrieved by correctly guessing its file name. Similarly, for all other image attachments, while the images *can* be listed by accessing the `/api/extras/image-attachments/` endpoint *as an authenticated user only*, absent that authenticated access, accessing the files would again require guessing file names correctly. ### Patches Nautobot v2.4.10 and v1...

### Summary Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint. ### Mitigation To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith). ### Resolution The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services. ### References * [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthenticated SSRF via TestWfsPost

### Impact _What kind of vulnerability is it? Who is impacted?_ All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot: 1. A malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered. 2. A malicious user could configure this feature set in ways that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The vulnerability can be partially mitigated by configuring ...

### Summary matrix-sdk-crypto since version 0.8.0 up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High Severity security issue. ### Details The Matrix specification [requires](https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2) that clients ensure that "the event’s `sender`, `room_id`, and the recorded `session_id` match a trusted session". The vulnerable matrix-sdk-crypto versions check that the `room_id` matches that of the session denoted by `session_id`, but do not check the `sender`. ### Patches The issue is resolved by [13c1d20](https://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55), included in versions 0.11.1 and 0.12.0 of matrix-sdk-crypto. ...

### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server. ### Patches The vulnerability has been patched in version 1.11.2. ### Workaround OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not. ### Details The issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint's endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-...

### Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files ### Patches GeoNetwork 4.4.8 / 4.2.13. ### Workarounds Remove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer`` jars, disabling the WFS Index functionality. ### References - [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) - https://github.com/geonetwork/core-geonetwork/pull/8757 - https://github.com/geonetwork/core-geonetwork/pull/8803 - https://github.com/geonetwork/core-geonetwork/pull/8812

## Summary GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack. It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF). ## Details While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation. This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks. ## PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service. ## Impact * Information Disclosure: This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that a...

### Summary Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. ### Details The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations. ### Impact This vulnerability allows attackers to conduct denial-of-service attacks. ### Mitigation This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#disabling-usage-of-dynamic-styling-in-getmap-getfeatureinfo-and-getlegendgraphic-requests)). If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see [WPS Settings](https://docs.geoserver.org/latest...