Lightnews — Scholar-powered news

Authorization Bypass Through User-Controlled Key - CVE-2024-56143 - DevHub

Checkmarx Zero @checkmarxzero.bsky.social · 4d

🚨 High-severity vulnerability in #Strapi (CVE-2024-56143) allows attackers to access private fields – including admin passwords and reset tokens. This can lead to full instance compromise if your API is exposed. If you're using 5.x versions, update to 5.5.2 or later.

Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters…

Last Week In AppSec for 14. October 2025 - Checkmarx

Checkmarx Zero @checkmarxzero.bsky.social · 6d

It's #LastWeekInAppSec time again! A use-after-free in #Poppler, a #PDF rendering library; and an IDOR in a Liferay web portal that leaks #PII. Summary below, details at buff.ly/hgQ32r9

#AppSec #CyberSecurity #SupplyChainSecurity #OpenSourceSecurity #OpenSource #CVE #Vulnerability

Poppler PDF library has use-after-free on write; Liferay web platform leaks user address data due to IDOR. Learn about the issues, impacts, and remediation steps (last week in AppSec for 2025-10-14)

Checkmarx Zero @checkmarxzero.bsky.social · 13d

There's no patch yet; rip it out of anything where untrusted users can choose branch names. #CICD #SupplyChainSecurity #ApplicationSecurity

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CVE-2025-11148 - DevHub

Checkmarx Zero @checkmarxzero.bsky.social · 13d

Use the popular `check-branches` NPM package in your CI? This tool checks for conflicts with other git branches, but it treats branch names as safe when passing to `git` commands, leading to command injection buff.ly/q3yjuvM (CVSSv4 9.3).

#CICD #SupplyChainSecurity #ApplicationSecurity

All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git…

devhub.checkmarx.com

1 1 1

Checkmarx Zero @checkmarxzero.bsky.social · 13d

Buzz indicates this issue is being actively exploited. See their advisory for more information including how to find out if you've been attacked: buff.ly/JUwP3Tv #DevSecOps 🧵2/2

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,…

Deserialization Vulnerability in GoAnywhere MFT's License Servlet

Checkmarx Zero @checkmarxzero.bsky.social · 13d

📢 ACTIVE VULNERABILITY 🚨 Fortra is warning that their #GoAnywhere Managed File Transfer (#MFT) system has a serious flaw that can allow attackers to inject commands. Requires a forged or valid license, but that's not a very high bar.

#CyberSecurity #DevSecOps #SupplyChainSecurity 🧵1/2

A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,…

www.fortra.com

Checkmarx Zero @checkmarxzero.bsky.social · 14d

Even if you aren't impacted by these vulnerabilities, they're excellent case studies for #AppSec teams on the challenges of avoiding even common weaknesses (like SQLi) and ensuring that designs are reviewed alongside implementations.

Checkmarx Zero @checkmarxzero.bsky.social · 14d

In this week's #LastWeekInAppSec (07. Oct 2025): Django allowing SQLi when backed by MySQL or MariaDB; FreshRSS letting anyone self-register as an admin. buff.ly/6aRh6uN

#InfoSec #CyberSecurity #WebSecurity #DevSecOps #VulnerabilityManagement #SQLi #Django #FreshRSS #PatchManagement #CVE

checkmarx.com

Checkmarx Zero @checkmarxzero.bsky.social · 20d

Recommended actions:
- Do NOT install or run `@lanyer640/mcp-runcommand-server`
- Block traffic to or from 45[.]115.38.27 on your network
- Search your package inventory in your #SCA tool
- Search your system logs and CIs for installs of the package or connections to the IP above

🧵 2/2

Checkmarx Zero @checkmarxzero.bsky.social · 20d

🚨 ALERT: Malicious #NPM package 🚨 `@lanyer640/mcp-runcommand-server` disguises itself as a legitimate MCP server but spawns a hidden interactive shell to IP 45[.]115.38.27 when executed.

We also Reported this package to NPM.

#Malware #OpenSource #DevOps #DevSecOps #ApplicationSecurity #AppSec 🧵1/2

Checkmarx Zero @checkmarxzero.bsky.social · 20d

🔒 Three new #OpenSSL CVEs today:
• CVE-2025-9230 OOB read/write (CMS decrypt)
• CVE-2025-9231 SM2 side-channel (ARM64)
• CVE-2025-9232 OOB read (HTTP client)

Fixes in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18. Update now.

Details: www.openssl.org/news/secadv/...

#AppSec #SupplyChainSecurity #OpenSource

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Need more detail? Get the 3-minute read with links and mitigations: buff.ly/dR3PQZJ
#AppSec #DevSecOps #Kubernetes #GoLang #SAML 🧵5/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Actions: upgrade Rancher to 2.12.2 / 2.11.6 / 2.10.10 / 2.9.12. Enforce allowlists for SAML params, shorten token TTLs, and train admins to verify login URLs. Review audit logs for suspicious re-auth flows. #SecurityEngineering #BlueTeam #IncidentResponse 🧵4/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Rancher (Manager + CLI): phishing + a malicious URL with attacker-controlled requestId/publicKey can force SAML re-auth and leak tokens. CVE-2024-58267. #Kubernetes #Rancher #SAML #Identity 🧵3/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

go-mail: a casting mistake let crafted recipient addresses smuggle SMTP commands to the server. Severity CVSSv4 8.2. Fix: upgrade to v0.7.1 and sanitize untrusted addresses; watch logs for odd RCPT TO:/DATA sequences. #GoLang #EmailSecurity #SupplyChainSecurity 🧵2/5

Last Week in AppSec for 30. September 2025 - Checkmarx

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Got 3 minutes? Catch up on the #AppSec news you might have missed #LastWeekInAppSec : buff.ly/dR3PQZJ

This week: go-mail #opensource library has SMTP injection; Rancher subject to SAML flow abuse in Manager & CLI. Read for full details including remediation and mitigation advice. #DevSecOps 🧵1/5

go-mail SMTP injection and Rancher SAML phishing vector with escalation of privilege: Last Week In AppSec

Checkmarx Zero @checkmarxzero.bsky.social · 21d

We've seen attackers promote unpublished and malicious extensions as "early access" before, with some success. 🧵5/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Most of these were in an "unpublished" state, meaning they would not have appeared in Marketplace searches, and this hopefully has limited the likelihood of compromise. However, unpublished extensions can still be installed (though it requires extra steps). 🧵4/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

Since removal from the Marketplace does not uninstall the packages locally, check to see if any of these were installed on developer workstations. if found, be aware that sensitive data including ChatGPT access keys may have been exfiltrated and respond accordingly 🧵3/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

VSAnalysistest.mycodegpt-assistant
VSAnalysistest.clipboard-helper-vscode
VSAnalysistest.discord-helper-test
VSAnalysistest.global-state-test
dontdownloadthis.dontdownloadthis
automated1ogic.automated1ogic
automatedlogic.automatedlogic
webctrl[.]live

^ #VSCode packages identified as malicious 🧵2/5

Checkmarx Zero @checkmarxzero.bsky.social · 21d

📢 malicious VisualStudio Code (#VSCode & #VSCodium) packages identified. Checkmarx Zero identified the packages below and reported them to Microsoft before they were widely distributed. Microsoft responded promptly and has removed them from the Visual Studio Marketplace. 🧵1/5

Checkmarx Zero @checkmarxzero.bsky.social · 27d

Track your PDF toolchains, check your dependencies, and update Ghostscript as patches land (especially in containers). This is a reminder to treat indirect dependencies with the same care as the ones you code directly.
#CVE202559798 #Ghostscript #PDF #AppSec #SupplyChainSecurity 🧵3/3

Checkmarx Zero @checkmarxzero.bsky.social · 27d

Because Ghostscript is embedded so widely, a flaw here can ripple across countless apps and services. A “medium” score can become high-impact when the dependency is so widely adopted; price of success, in a way. 🧵2/3

Stack-based Buffer Overflow - CVE-2025-59798 - DevHub

Checkmarx Zero @checkmarxzero.bsky.social · 27d

Ghostscript has a stack-based buffer overflow in versions 9.* and 10.*. It’s rated only Medium, but Ghostscript underpins many PDF apps and libraries. Think of it like the “ImageMagick of PDFs.”
buff.ly/GJ7Mpfj 🧵1/3

Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c.

devhub.checkmarx.com