#auth

### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="[email protected]" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_se...

### Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see. ### Details Specifying `role` on share should be available only for admins. The current flow has a security flaw. Each other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is _higher_ or _lower_, so only admins should be able to specify the role for share. Optionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import. *_shareer_ - a person that creates a share link to item ### PoC 1. Create a collection with a secret field. 2. Create role A that sees the secret field 3. Create role B that does not see the secret field, but can use share feature. 4. Create item with secret field filled. 5. Use ac...

The first team to successfully hack the electric vehicle maker's charger won $50,000 for their ingenuity.

Attackers can use a zero- or one-click flaw to send a malicious image to targets — an image that can deanonymize a user within seconds, posing a threat to journalists, activists, hackers, and others whose locations are sensitive.

### Impact The `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. ### Patches Fixed in version 8.3.1 and 9.0.3 ### Workarounds Do not use `saveRequestFiles`. ### References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in https://github.com/fastify/fastify-multipart/pull/567.

The threat actors are abusing the vulnerabilities to gain initial access, obtain credentials, and install malicious scripts on user devices.

### Impact A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration dump of the proxy: ``` curl --path-as-is http://<Proxy-Service-ClusterIP>:19001/stats/prometheus/../../config_dump ``` ### Patches 1.2.6 ### Workarounds The `EnvoyProxy` API can be used to apply a bootstrap config patch that restricts access strictly to the prometheus stats endpoint. Find below an example of such a bootstrap patch. ``` apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: name: custom-proxy-config namespace: default spec: bootstrap: type: JSONPatch jsonPatches: - op: "add" path: ...

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Such routers typically lack endpoint detection and response protection, are in front of a firewall, and don't run monitoring software like Sysmon, making the attacks harder to detect.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series products Vulnerability: Improperly Implemented Security Check for Standard 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following RTU500 series products are affected: RTU500 series CMU Firmware: Version 13.5.1 up to and including 13.5.3 RTU500 series CMU Firmware: Version 13.4.1 up to and including 13.4.4 RTU500 series CMU Firmware: Version 13.2.1 up to and including 13.2.7 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPERLY IMPLEMENTED SECURITY CHECK FOR STANDARD CWE-358 A vulnerability exists in the RTU500 that allows for authenticated and authorized users to bypass secure update. If a malicious actor successfully exploits this vulnerability, they could use it to update the RTU500 with...