A vulnerability in 7-Zip that could allow attackers to bypass the MotW security feature in Windows has been patched.

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows.

The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. The MotW is what triggers warnings that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. 7-Zip added support for MotW in June 2022.

The MotW also makes sure that Office documents that are marked with the MotW will be opened in Protected View, which automatically enables read-only mode and means that all macros will be disabled until the user allows them.

MotW security warning in file properties

For years, attackers were able to bypass the MotW by putting their malicious files in archives. This worked because the MotW is in fact another file that is attached to the main file as an Alternate Data Stream (ADS), and over the years we have seen many vulnerabilities in archivers where the ADS didn’t pass on the individual files when the archive was decompressed.

The same is true this time. Only the attacker will have to prepare an especially crafted nested archive. A nested archive means there is an open archive inside another open archive. Exploitation of the vulnerability also requires user interaction, meaning the target will have to visit a malicious page or open a malicious file.

If you’re a Windows user, check whether you are using version 7-Zip 24.09 or later. If you’re not, then they’ll need to update.

7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page.

**Other security measures**

There are some general safety tips to keep in mind when you’re handling archived files on a regular basis:

*   Keep track of how and where you obtained the archive.
*   Always be careful when opening archived files that you downloaded from the internet.
*   Make sure you are using an updated anti-malware solution that is capable of scanning inside archives, and you have that setting enabled.

Malwarebytes scan within archives option enabled

*   Keep track of who accesses archived files and when. This can help identify unauthorized access attempts and help monitor unwanted changes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 7-Zip bug could allow a bypass of a Windows security feature. Update now 

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime…

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime justice, presidential power, and fairness.

U.S. President Donald Trump has issued a full pardon to Ross Ulbricht, the founder of the infamous dark web marketplace **Silk Road**. The decision has kicked off a debate across political, legal, and cybersecurity circles while raising questions about possible pardons for other high-profile figures such as Julian Assange and Edward Snowden.

****The Silk Road Story****

Launched in February 2011, Silk Road was an online marketplace accessible through the Tor network, designed to ensure user anonymity. The platform operated much like eBay but was primarily known for facilitating the trade of illegal goods, particularly drugs. Payments on Silk Road were conducted using Bitcoin, making transactions nearly untraceable.

Ross Ulbricht, operating under the pseudonym “Dread Pirate Roberts,” positioned himself as a libertarian ideologue, claiming the marketplace was a tool to undermine government overreach and provide individuals with greater personal freedoms. However, the site soon became a hub for illegal activities, including drug trafficking, weapons sales, and hacking tools.

****The Arrest****

Ulbricht was **arrested on October 1, 2013**, in the science fiction section of a public library in San Francisco. The dramatic takedown was part of a planned operation by federal agents who had been tracking Ulbricht for months including postings on online forums, metadata from server logs, and evidence found on Ulbricht’s laptop at the time of his arrest.

When captured, Ulbricht’s laptop was open and running, providing agents with incriminating evidence, including logs of Silk Road transactions, communications with administrators, and his personal journal. Ulbricht then faced a litany of charges, including:

*   **Conspiracy to traffic narcotics.**
*   **Conspiracy to commit computer hacking.**
*   **Conspiracy to commit money laundering.**
*   **Continuing a criminal enterprise** (a charge commonly used against organized crime figures).

While the charges focused on his role in enabling large-scale drug trafficking, federal authorities also accused him of attempting to arrange hits on individuals he perceived as threats to Silk Road. Although no murders were carried out, these allegations added significant weight to the prosecution’s case.

****The Sentencing****

In 2015, Ross Ulbricht was convicted on all charges and sentenced to **two life sentences plus 40 years** without the possibility of parole. The severity of the sentence shocked many observers, who argued that it was disproportionately harsh compared to other cases involving similar offenses. Civil liberties advocates and digital rights groups questioned whether the punishment was intended to set an example for others operating in the digital underground.

Seized Silk Road market (Screenshot: Hackread.com)

****The Pardon****

Trump’s decision to pardon Ross Ulbricht was announced on January 21, 2025. In a post on Truth Social, Trump described the prosecution and conviction of Ulbricht as a “scum,” criticizing the authorities involved in the case.

> _“I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross. The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!”_
> 
> Donald Trump

The Ulbricht pardon raises fundamental questions about justice in the digital age. How should courts balance technological innovation, personal freedom, and the responsibility for harm caused?

1.  **Obama Pardons** **Chelsea Manning**
2.  **CIA Whistleblower Guilty of Leaking Vault 7 Docs to WikiLeaks**
3.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
4.  **British judge says Julian Assange will not be extradited to the US**
5.  **23-Year-Old Arrested for Running 100M Incognito Dark Web Market**

Trump Pardons Silk Road Founder Ross Ulbricht, Calls Prosecutors ‘Scum’

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates' official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

"These are greenfield opportunities — it's tremendous," he says. "There's national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology."

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC's "2025 Digital Trust Insights: South Africa and Africa" report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC's "2025 Digital Trust Insights: Middle East" report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

**Biometrics Embraced by Mideast, African Markets**

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

"With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors," he says. "Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification."

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key's Sullivan.

"After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint \[in the system\]," he says. "From then on, anytime they want to authenticate that user, they just touch a finger. They've just now started rolling out the ability to do that without even presenting your card for subsequent business."

**An Easy Upgrade Path**

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key's Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

"The use case is typically one where you have users that are moving around, and you don't want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor," he says. "We have to accommodate the fact that a lot of companies still use traditional technologies and don't want to just make a big-bang switch, so we we allow them to sort of start with what they're doing now ... \[and\] as they start to see the power of having a biometric option, they can evolve to that."

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company's Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting's Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

"As digital identity ecosystems expand," Murphy says, "AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Torrance, United States / California, 22nd January 2025, CyberNewsWire

**Torrance, United States / California, January 22nd, 2025, CyberNewsWire**

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a global provider of software in education, to deliver its integrated cybersecurity solution, Criminal IP, to students and educational institutions. This strategic initiative aims to enhance cybersecurity awareness and protection in the education sector by offering internationally compliant solutions at affordable prices.

Criminal IP will now extend its reach to educational institutions worldwide, reinforcing its growing presence in the global security market. Since its launch, Criminal IP has gained users in over 150 countries and formed strategic alliances with more than 40 global cybersecurity companies, including Cisco, Snowflake, Tenable, and VirusTotal.

(Criminal IP Lite Plan on OnTheHub)

OnTheHub is a worldwide operating platform that provides software and learning materials at discounted rates to educational organizations and their members. Through this collaboration, Criminal IP and OnTheHub seek to strengthen the cybersecurity frameworks of educational organizations on the platform, aligning with the ongoing digital transformation (DT) in education, particularly regarding Learning Management Systems (LMS). Students and researchers can access Criminal IP by redeeming coupons purchased through OnTheHub on the Criminal IP website, enabling them to utilize a globally recognized CTI platform at an affordable cost.

Criminal IP offers real-time risk analysis and vulnerability insights for global IP addresses and domains. Utilizing AI and machine learning technologies, the solution scans for security threats across various ports and devices, quickly identifying malicious IPs and domains while categorizing threat levels into five distinct tiers. Additionally, organizations can leverage Criminal IP ASM to oversee and manage IT assets, and Criminal IP FDS to detect unauthorized network access attempts during login or payment processes, all provided through a user-friendly SaaS model.

In terms of compatibility, Criminal IP offers an intuitive user interface (UI) and an integrated API, facilitating seamless integration with a variety of software and security solutions. This enables users to comprehensively evaluate security risks, including threat scores for IT assets, exposure of IoT devices, and phishing domain identification. Consequently, students and researchers associated with OnTheHub’s partner institutions will gain access to high-quality threat intelligence data and a robust platform for academic activities such as threat hunting, development, and research.

> AI SPERA CEO Byung-tak Kang commented, “Through this partnership, we are excited to provide more students and educational institutions with a globally recognized security solution at a reasonable price. We hope that Criminal IP will help students and researchers prevent security threats in educational environments and ensure a safe digital space for learning.”

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for Education

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0.
Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-g9gf-g5jq-9h3v: Apache Ranger UI vulnerable to Server Side Request Forgery

BreachForums admin Conor Fitzpatrick (Pompompurin) faces resentencing after his lenient 17-day sentence was vacated, highlighting the serious consequences…

BreachForums admin Conor Fitzpatrick (Pompompurin) faces resentencing after his lenient 17-day sentence was vacated, highlighting the serious consequences of his cybercrime.

Conor Brian Fitzpatrick, the 21-year-old founder of **BreachForums**, a notorious marketplace for stolen personal data, is set to be resentenced following a federal appeals court decision to vacate his previous punishment. The ruling comes after concerns that the original 17-day sentence failed to adequately reflect the seriousness of his crimes or serve as a deterrent.

****BreachForums: A Haven for Stolen Data****

Fitzpatrick, operating under the alias “Pompompurin,” launched BreachForums in March 2022 after the **FBI shut down RaidForums,** a similar platform. BreachForums quickly grew to become the largest English-language data-breach marketplace. Over its one-year operation, the forum hosted over 14 billion individual records, including sensitive information such as databases, Social Security numbers (SSNs), birth dates, and banking details.

The platform also served as a hub for hackers to buy and sell stolen data, often facilitated by Fitzpatrick himself. Federal investigators revealed that Fitzpatrick earned approximately $698,000 during this period, causing significant financial and reputational harm to victims. Undercover FBI agents infiltrated the site in July 2022 and purchased records of 15 million Americans for $5,000, setting the stage for his eventual **arrest in March 2023** at his home in Peekskill, New York.

Conor Fitzpatrick’s profile on BreachForums

****The Arrest and Initial Sentencing****

Following his arrest, Fitzpatrick faced multiple federal charges, including:

*   **Conspiracy to traffic stolen personally identifiable information in violation of 18 U.S.C. § 1029.**

*   **Fraudulent solicitation of personally identifiable information.**

*   **Possession of child sexual abuse material (CASM), involving over 600 explicit images and videos of minors.**

Fitzpatrick **pleaded guilty to all charges** and was released on bond, subject to strict conditions. However, he repeatedly violated these conditions by using unauthorized devices, accessing the internet through a virtual private network (VPN), and participating in chatrooms where he joked about selling government secrets.

At sentencing, the district court recognized Fitzpatrick’s crimes but expressed concern over his autism spectrum disorder and young age. The court sentenced him to 17 days of time served and **20 years of supervised release**. It justified the lenient sentence by citing the Bureau of Prisons’ alleged inability to provide adequate treatment for Fitzpatrick’s condition and the likelihood of his victimization in prison.

****The Government’s Appeal and Appellate Ruling****

The U.S. government appealed the sentence, arguing it was excessively lenient and failed to meet federal sentencing guidelines, recommending 188 to 235 months in prison. Prosecutors highlighted the gravity of Fitzpatrick’s offenses, the need to deter cybercrime, and the failure of supervised release to address his pattern of violations.

> _“A 17-day sentence for the commission of three serious felonies signals to would-be criminals that they might get one free pass before facing any serious penalties.”_
> 
> **Joseph Attias**, the Assistant U.S. Attorney

On January 21, 2025, the Fourth Circuit Court of Appeals vacated the sentence, deeming it substantively unreasonable. The court criticized the district court’s heavy reliance on Fitzpatrick’s characteristics while overlooking the seriousness of his crimes, the need for deterrence, and public protection. The appellate court remanded the case for resentencing, indicating that a harsher punishment was warranted.

****What Comes Next?****

As the case returns to the district court, Fitzpatrick faces the possibility of a significantly longer prison term. The appellate ruling suggests that mitigating factors such as autism and youth cannot overshadow the severity of his crimes or the risks posed to public safety. Legal experts predict a sentence more aligned with federal guidelines, likely spanning several years in prison.

The resentencing of Conor Fitzpatrick will not only determine his future but may also set a precedent for how courts balance individual circumstances with the need to address grave cybercrimes. Nevertheless, the case shows the importance of enforcing strict legal penalties to protect online systems from misuse and exploitation.

Stay tuned as this story develops.

1.  **GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital**
2.  **Mastermind of 2020’s top celebrity Twitter hack Jailed to 3 years**
3.  **Dispute moderator for Alphabay market jailed to 11 years in prison**
4.  **US Man Sentenced to 21 Years for Dark Web Distribution of CSAM**
5.  **iSpoof Fraud Website’s Mastermind Sentenced to 13 Years in the UK**

BreachForums Admin Conor Fitzpatrick (Pompompurin) to Be Resentenced

In a letter sent today, the acting DHS secretary terminated membership to all advisory boards, including the Cyber Safety Review Board (CSRB) tasked with investigating state-sponsored cyber threats against the US.

Source: Sipa USA via Alamy Stock Photos

Editor's note: This story was updated on 1-22-25 to reflect that Chris Krebs resigned from the CSRB on Jan. 18, prior to President Trump taking office.

NEWS BRIEF

In its first full day, the Trump administration axed all advisory committee members within the Department of Homeland Security, including the people that make up the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB). The CSRB was actively working on investigating Salt Typhoon, the Chinese state-sponsored hacking group responsible for breaches of at least nine telecommunications networks in the past several months.

In a letter dated Jan. 20, acting secretary of the Department of Homeland Security Benjamine C. Huffman said the move was meant to avoid a "misuse of resources," and terminated all current memberships on advisory committees immediately.

Members of the CSRB include a who's who of cybersecurity, from companies such as Sentinel One, represented by former CISA head Chris Krebs, who was fired in 2020 as head of CISA in the waning days of the previous Trump administration. Prior to the letter, on Jan 18., Krebs preemptively resigned from the board ahead of Trump taking office. The CSRB also included several former Biden administration officials. It was created as part of Biden's 2021 cybersecurity executive order to "review and assess ... significant cyber incidents" impacting the federal executive branch of the US government.

While the letter did not enumerate which committees might be reconstituted with new participants, it did add that, in general, dismissed DHS committee members are welcome to reapply to DHS in the future, according to a copy of the letter shared by Eric Geller on X.

"Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities," the letter read before thanking the outgoing members for their service.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trump Fires Cyber Safety Board Investigating Salt Typhoon Hackers

Sophos noted more than 15 attacks have been reported during the past three months.

Source: True Images via Alamy Stock Photo

NEWS BRIEF

Sophos X-Ops' Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there attackers take control of a victim's device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing.

"We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts," said the Sophos researchers in their report. 

The ransomware deployed by these two groups include Black Basta and Python ransomware; the researchers note that STAC5777 in particular is highly active.

Though Sophos has deployed detections for the malware included in these campaigns, it recommends organizations take further steps to prevent attacks, such as ensuring their Microsoft 365 services restrict Teams calls from outside organizations, as well as raise employee awareness of these tactics, which are not normally covered in anti-phishing trainings.

Sophos provided a list of indicators of compromise for these campaigns available for viewing on its GitHub repository.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

### Impact

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

### Patches

Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2.

### Workarounds

None available.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-69cg-w8vm-h229

**XSS/HTML Injection Vulnerability in Umbraco Preview Badge**

Moderate severity GitHub Reviewed Published Jan 21, 2025 in umbraco/Umbraco-CMS • Updated Jan 21, 2025

**Package**

nuget Umbraco.Cms (NuGet)

**Affected versions**

\>= 10.8.7, < 10.8.8

\>= 11.0.0, < 13.5.3

\>= 14.0.0, < 14.3.2

\>= 15.0.0, < 15.1.2

**Patched versions**

10.8.8

13.5.3

14.3.2

15.1.2

**Impact**

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

**Patches**

Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2.

**Workarounds**

None available.

**References**

*   GHSA-69cg-w8vm-h229

Published to the GitHub Advisory Database

Jan 21, 2025

Last updated

Jan 21, 2025

GHSA-69cg-w8vm-h229: XSS/HTML Injection Vulnerability in Umbraco Preview Badge

### Impact

Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.

### Patches

Will be patched in 14.3.2 and 15.1.2.

### Workarounds

None available.



Tag

#auth