#auth

An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.

## Overview: A moderate security vulnerability has been identified in Uptime Kuma platform that poses a significant threat to the confidentiality and integrity of user accounts. When a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behaviour persists consistently, even after system restarts or browser restarts. This vulnerability allows unauthorized access to user accounts, compromising the security of sensitive information. The same vulnerability was partially fixed in https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g but logging existing users out of their accounts was forgotten. ## Impact: The impact of this vulnerability is moderate, as it enables attackers or unauthorized individuals to maintain access to user accounts even after the account password has been changed. This can lead to unauthorized data access, manipulation, or compromise of user accounts, posing a threa...

### Impact When lakeFS is configured with **ALL** of the following: - Configuration option `auth.encrypt.secret_key` passed through environment variable - Actions enabled via configuration option `actions.enabled` (default enabled) then a user who can configure an action can impersonate any other user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds **ANY ONE** of these is sufficient to prevent the issue: * Do not pass `auth.encrypt.secret_key` through an environment variable. For instance, Kubernetes users can generate the entire configuration as a secret and mount that. This is described [here](https://kubernetes.io/docs/concepts/configuration/secret/#using-a-secret). * Disable actions. * Limit users allowed to configure actions.

Incorrect user role checking in multiple REST API endpoints in ProLion CryptoSpike 3.0.15P2 allows a remote attacker with low privileges to execute privileged functions and achieve privilege escalation via REST API endpoint invocation.

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, when a user changes their login password in Uptime Kuma, a previously logged-in user retains access without being logged out. This behavior persists consistently, even after system restarts or browser restarts. This vulnerability allows unauthorized access to user accounts, compromising the security of sensitive information. The same vulnerability was partially fixed in CVE-2023-44400, but logging existing users out of their accounts was forgotten. To mitigate the risks associated with this vulnerability, the maintainers made the server emit a `refresh` event (clients handle this by reloading) and then disconnecting all clients except the one initiating the password change. It is recommended to update Uptime Kuma to version 1.23.9.

An issue was discovered in BeyondTrust Privilege Management for Mac before 5.7. An authenticated, unprivileged user can elevate privileges by running a malicious script (that executes as root from a temporary directory) during install time. (This applies to macOS before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra, Later versions of macOS are not vulnerable.)

Uptime Kuma is an easy-to-use self-hosted monitoring tool. Prior to version 1.23.9, the application uses WebSocket (with Socket.io), but it does not verify that the source of communication is valid. This allows third-party website to access the application on behalf of their client. When connecting to the server using Socket.IO, the server does not validate the `Origin` header leading to other site being able to open connections to the server and communicate with it. Other websites still need to authenticate to access most features, however this can be used to circumvent firewall protections made in place by people deploying the application. Without origin validation, Javascript executed from another origin would be allowed to connect to the application without any user interaction. Without login credentials, such a connection is unable to access protected endpoints containing sensitive data of the application. However, such a connection may allow attacker to further exploit unseen vu...

An issue was discovered in BeyondTrust Privilege Management for Windows through 5.6. An attacker can spawn a process with multiple users as part of the security token (prior to Avecto elevation). When Avecto elevates the process, it removes the user who is launching the process, but not the second user. Therefore this second user still retains access and can give permission to the process back to the first user.

Competing bills moving through the House of Representatives both reauthorize Section 702 surveillance—but they pave very different paths forward for Americans’ privacy and civil liberties.

The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.