🔐 Symfony UX CVE-2025-47946: Unsanitized HTML attribute injection via ComponentAttributes
➡️ https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes

Symfony UX CVE-2025-47946: Unsanitized HTML attribute injection via ComponentAttributes. #symfony
https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Bwahahahahaha

https://github.com/packetlabs/vulnerability-advisory/blob/main/Disclosures/PL-2025-11315/README.md

sev:MED 6.0 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

The ConnectWise-Password-Encryption-Utility.exe binary contains hardcoded encryption keys in plaintext which can be extracted by an attacker analyzing the binary strings.

https://nvd.nist.gov/vuln/detail/CVE-2025-4876

Oh my.

https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by openpgp.readMessage, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using openpgp.createMessage) to openpgp.verify. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling openpgp.decrypt without verificationKeys, and then passing the returned signature(s) and a new message containing the decrypted data (created using openpgp.createMessage) to openpgp.verify.

https://nvd.nist.gov/vuln/detail/CVE-2025-47934

🚨 A critical vulnerability (CVE-2025-47275) in the Auth0 SDK exposes Symfony, Laravel, and WordPress users to brute-force session attacks. Okta has released patches—learn how to protect your application now.

#SecurityLand #CyberWatch #Auth0 #Okta #PHP #Laravel #WordPress #Symfony #Vulnerability #Patch

Read More: https://www.security.land/critical-vulnerability-found-in-auth0-sdk-patch-released-for-php-symfony-laravel-and-wordpress/

CISA published new KEVs earlier but I don't think any of them were unknown to the public to have been exploited.

CVE-2023-38950: ZKTeco
CVE-2024-27443: Synacor
CVE-2025-27920: Srimax
CVE-2024-11182: MDaemon
CVE-2025-4428: Ivanti
CVE-2025-4427: Ivanti

CISA published new KEVs earlier but I don't think any of them were unknown to the public to have been exploited.

CVE-2023-38950: ZKTeco
CVE-2024-27443: Synacor
CVE-2025-27920: Srimax
CVE-2024-11182: MDaemon
CVE-2025-4428: Ivanti
CVE-2025-4427: Ivanti

something I'm still curious about is wtf was CVE-2021-30327, allegedly some buffer overflow in EDL but there's not much to go off of.

The only hints I have atm are like,
- sxr2130 allows trying to upload an image again, and sigchecks happen after the segments are loaded into RAM
- sxr2250 has a lot of bounds checks near a memsz vs filesz memset for the sig segment
- MBNv7 changes in general

Don't expose Remote Desktop directly to the Internet, they said. Put it behind a Remote Desktop Gateway, they said. It will be fine, they said...

"Race Condition in Windows Remote Desktop Gateway Enables RCE – PoC Demonstrates Exploitability":

https://securityonline.info/cve-2025-21297-race-condition-in-windows-remote-desktop-gateway-enables-rce-poc-demonstrates-exploitability/

(Fixed in the latest Patch Tuesday.)

🚨Spike in Fortinet CVE-2024-55591 vulnerability rapidly increased in the past week 👇

The #CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.

ℹ️ About the exploit:
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.

🔎 Trend analysis:
🔹 April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits.
🔹 April 23rd - April 28th: Activity increases rapidly from 30 to about 80 malicious IPs reported daily, producing over 400 distinct attack events.
🔹 April 29 - May 2nd: The attackers take a break. This provides a key point of insight into the nature of this attack campaign.
🔹 May 3rd - May 19th: The attack picks back up with increased intensity. It now originates from around 200 unique IP addresses per day and produces about 900 attack events per day.
🔹 May 19th: The CrowdSec Network still sees elevated levels of probing and exploitation attempts.

✅ How to protect your systems:
🔹 You can use CrowdSec’s open CTI search bar and blocklists to stay ahead of the curve. https://app.crowdsec.net/cti?q=cves%3A%22CVE-2024-55591%22&page=1
🔹 Alternatively, you can use CrowdSec’s newest tool, IPDEX, to build instant reports for this particular CVE and explore the data CrowdSec has aggregated. https://www.crowdsec.net/blog/introducing-crowdsec-ipdex

For more information, visit 👉 http://crowdsec.net 🧵[1/2]

#CyberSecurity #CrowdSec #CTI #Fortinet #CVE202455591 #Infosec #ThreatIntel #OpenSourceSecurity

As the image shows, we see that inside the results, many actors are classified as benign, which confirms that although the exploit is dangerous, the actual campaign is not. This level of enrichment provided by CrowdSec CTI helps security teams prioritize alerts, and IPDEX supports this workflow, allowing analysts to filter out harmless campaigns such as the one by the Shadowserver Foundation. You can also add a filter within IPDEX to remove those benign actors and filter on the date of last activity.

You can get started with IPDEX by heading over to the CrowdSec GitHub 👉 https://github.com/crowdsecurity/ipdex

🧵[2/2]

#CrowdSec #CyberSecurity #CTI #Fortinet #CVE202455591 #Infosec #ThreatIntel #OpenSourceSecurity