This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

#fediverse #security #nivenly #FediverseSecurityFund

RE: https://hachyderm.io/@nivenly/114268491892140498

Aqua published a blog post on the TTPs ( including IOCs and samples ) used by an apparently CN-adjacent TA attacking Tomcat servers. The post doesn't specifically say that the vulnerability exploited is CVE-2025-24813 but in their mitigations section they say:

"Ensure that all vulnerabilities are patched. Particularly internet facing applications such as Tomcat servers. Vulnerabilities such as CVE-2025-24813 that are new, critical and actively exploited should be prioritized."

https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/

Apache Tomcat #vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30 hours after a public PoC was released https://securityaffairs.com/176129/security/u-s-cisa-adds-apache-tomcat-flaw-known-exploited-vulnerabilities-catalog.html

It seems like it's been a while since I've seen a SquirrelMail vuln.

sev:HIGH 7.2 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

https://squirrelmail.org/security/issue.php?d=2025-04-02

mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.

https://nvd.nist.gov/vuln/detail/CVE-2025-30090

Get started with the CrowdSec WAF: https://doc.crowdsec.net/docs/next/appsec/intro

Virtual Patching WAF collection: https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching [3/3]

#CrowdSec #CTI #CyberThreatIntelligence #CVE202427292 #Docassemble #ExploitAlert #PathTraversal #OpenSourceSecurity #Infosec #BlueTeam #ThreatIntel

🚨 CVE-2024-27292 exploitation campaign detected!

:blobthinking: What is the CVE-2024-27292 vulnerability?

CVE-2024-27292 is a path traversal vulnerability in Docassemble. It allows unauthenticated attackers to access arbitrary files, such as /etc/passwd via specially crafted URL parameters. The root cause is improper sanitization of user-supplied inputs, making it possible for attackers to probe system-level files.

Over the past few days, CrowdSec telemetry has identified a significant and accelerating wave of exploit attempts targeting the URI pattern: /interview?i=/etc/passwd.

Docassembe is a free, open source expert system for guided interviews and document assembly, based on Python, YAML, and Markdown.

This pattern aligns with an exploit attempt for CVE-2024-27292, a vulnerability disclosed in late 2024 affecting Docassemble (v1.4.53 to v1.4.96). [1/3]

🛡️ Protect yourself

Already using the CrowdSec WAF? Then you have nothing to worry about, CVE-2024-27292 is already part of the default virtual patching collection.

If not, it’s never too late to start. Follow the link in the comments below 👇 and start protecting your systems from CVE-2024-27292 and other vulnerabilities. [2/3]

I don't know the Tauri shell but shell plugins seem like a nice attack surface if you know your target is running them.

https://github.com/tauri-apps/plugins-workspace/security/advisories/GHSA-c9pr-q8gx-3mgp

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

The Tauri shell plugin allows access to the system shell. Prior to 2.2.1, the Tauri shell plugin exposes functionality to execute code and open programs on the system. The open endpoint of this plugin is designed to allow open functionality with the system opener (e.g. xdg-open on Linux). This was meant to be restricted to a reasonable number of protocols like https or mailto by default. This default restriction was not functional due to improper validation of the allowed protocols, allowing for potentially dangerous protocols like file://, smb://, or nfs:// and others to be opened by the system registered protocol handler. By passing untrusted user input to the open endpoint these potentially dangerous protocols can be abused to gain remote code execution on the system. This either requires direct exposure of the endpoint to application users or code execution in the frontend of a Tauri application. This vulnerability is fixed in 2.2.1.

https://nvd.nist.gov/vuln/detail/CVE-2025-31477

OpenVPN Server DoS could be a bummer if your configuration leaves you impacted.

https://community.openvpn.net/openvpn/wiki/CVE-2025-2704

OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase

https://nvd.nist.gov/vuln/detail/CVE-2025-2704

"Django security releases issued: 5.1.8 and 5.0.14"

https://www.djangoproject.com/weblog/2025/apr/02/security-releases/

"CVE-2025-27556: Potential denial-of-service vulnerability in LoginView, LogoutView, and set_language() on Windows"

#security #django #python

This seems like a pretty small scope but people seem to like leaked tokens so here you go.

https://github.com/canonical/get-workflow-version-action/security/advisories/GHSA-26wh-cc3r-w6pj

sev:HIGH 8.2 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H

canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated—causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited—the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Users using the github-token input are impacted. This vulnerability is fixed in 1.0.1.

https://nvd.nist.gov/vuln/detail/CVE-2025-31479

UPDATE: Attackers are now exploiting CrushFTP vulnerability CVE-2025-2825

https://www.bleepingcomputer.com/news/security/critical-auth-bypass-bug-in-crushftp-now-exploited-in-attacks/

Outpost24 Puts Up A Blog Post On The CrushFTP Authentication Bypass Vulnerability… And The Events That Led To Mass Attacks

Outpost24 analysts recently discovered a critical authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161. Today, the team posted a blog detailing the process of their reporting, including how other parties circulating this news under a different CVE caused media confusion. The vulnerability is now being exploited by remote…

https://itnerd.blog/2025/04/02/outpost24-puts-up-a-blog-post-on-the-crushftp-authentication-bypass-vulnerability-and-the-events-that-led-to-mass-attacks/