#auth

### Summary  A command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo <qqbot-at-everyone />` command to cause the bot to send a message that mentions all members in the chat, bypassing any permission controls. This can lead to spam, disruption, or abuse of notification systems.  ### Details  The framework provides a command `/echo` that causes the bot to repeat any user-provided message verbatim in the group chat. However, the bot fails to sanitize or filter platform-specific control elements such as `<qqbot-at-everyone />`, which, when included in a message, mentions everyone (i.e., @全体成员). While normal users are forbidden from using this tag in normal chats, the bot, which has higher privileges, is allowed to do so.  Since the `/echo` command blindly echoes any content, a user can exploit this by sending:  ``` /echo <qqbot-at-everyone /> ```  The bo...

### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/groups' form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. ## ---------------------------------POC----------------------------- Before Setting: Enable 'distributed_poller' in http://localhost/settings/poller/distributed 1. Attacker creates a new poller group and injects the payload in the 'group name' parameter ``` payload: <script>alert('XSS')</script> ``` 2. Victim navigates to the 'http://localhost/addhost' to add a new host 3. The payload is executed code sink: https://github.com/librenms/librenms/blob/25.4.0/includes/html/pages/addhost.inc.php#L284

The ABB Cylon FLXeon BACnet controller suffers from a configuration poisoning vulnerability in the put() function of bbmdList.js, where the writeFile() function is invoked to persist user-controlled data (req.body.bipList and req.body.natList) directly into sensitive configuration files (/etc/bdt.txt and /etc/bdt2.txt). This write operation lacks input validation and integrity checks allowing an attacker to supply crafted JSON payloads to inject or overwrite trusted BACnet BBMD entries. As these files are critical for network configuration, exploitation may result in unauthorized network redirection, denial of service, or insertion of rogue nodes into the system, thereby undermining the integrity and security of OT network communications.

The ABB Cylon FLXeon BACnet controller is vulnerable to a path traversal flaw in its capture.js endpoint due to unsanitized user input being directly concatenated into a filesystem path. An attacker can exploit this by supplying crafted file names to access arbitrary files outside the intended var/ directory. Additionally, the use of Fs.unlinkSync() after serving the file introduces a destructive impact, allowing attackers to delete system or application files.

The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility. "Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website. "Robware.net and RVTools.com are the only authorized and supported websites for

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated file traversal via the /api/siteGuide endpoint. An attacker with valid credentials can manipulate the filename parameter to move and access or overwrite arbitrary files. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is not properly sanitized, allowing directory traversal attacks.

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/siteGuide endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the filename and/or originalname parameters. The issue arises due to improper input validation in siteGuide.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Non-human identities—also known as machine or workload identities—are becoming increasingly critical as organizations adopt cloud-native ecosystems and advanced AI workflows. For workloads spanning multiple cloud platforms, adhering to zero trust principles becomes challenging as they cross identity domains. A unified identity framework provides consistency in automating identity issuance and enforcing access control policies across diverse environments. SPIFFE/SPIRE, an open source identity issuance framework, enables organizations to implement centralized, scalable identity management on

In hybrid and multicloud environments, proper management of sensitive data-like secrets, credentials and certificates is critical to maintaining a robust security posture across Kubernetes clusters. While Kubernetes provides a Kube-native way to manage secrets, it’s generally understood that Kubernetes secrets are not particularly secret: they are base64 encoded and are accessible to cluster administrators. Additionally, anyone with privileges to create a pod in a specific namespace can access the secrets for that namespace. While at-rest protection can be provided by encrypting sensitive da