24h | 7d | 30d

Overview

  • webbertakken
  • docusaurus-plugin-content-gists

09 Jul 2025
Published
10 Jul 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.04%

KEV

Description

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

Statistics

  • 3 Posts
  • 6 Interactions

Fediverse

Profile picture

Il plugin #Docusaurus gist aggiungeva una pagina all'istanza di Docusaurus, mostrando tutti i gist pubblici degli utenti GitHub che lo usano

Le versioni di docusaurus-plugin-content-gists precedenti alla 4.0.0 sono vulnerabili all'esposizione dei token di accesso personale GitHub negli artefatti di build di produzione quando vengono passati attraverso le opzioni di configurazione del plugin. Il token, destinato esclusivamente all'accesso API in fase di build, viene inavvertitamente incluso nei bundle JavaScript lato client, rendendolo accessibile a chiunque possa visualizzare il codice sorgente del sito web. Questa vulnerabilità è stata risolta nella versione 4.0.0.

nvd.nist.gov/vuln/detail/CVE-2

@informatica

  • 2
  • 2
  • 4 hours ago
Profile picture

Il plugin per WordPress Docusaurus ha una RCE da 10 su 10 di score ed espone le chiavi segrete

Il plugin @docusaurus/plugin-content-docs, vanta numeri impressionanti: oltre 1,36 milioni di download solo nell’ultimo mese, più di 56.000 stelle su GitHub e circa 8.560 fork, a dimostrazione di una community globale estremamente attiva.

Lanciato quasi quattro anni fa, oggi conta 85 pacchetti che lo utilizzano come dipendenza, più di 14.800 repository che lo includono e addirittura 2,7 milioni di download Docker, segno di una crescente adozione anche in ambienti containerizzati.

Nel mondo dei plugin open source, anche un singolo errore può trasformarsi in una falla catastrofica. È il caso di docusaurus-plugin-content-gists, un plugin che permette di mostrare in una pagina del proprio sito tutti i gist pubblici di un utente GitHub.

Secondo la CVE-2025-53624 (score 10/10, severity: CRITICAL), nelle versioni precedenti alla 4.0.0 è stata scoperta una vulnerabilità gravissima: il GitHub Personal Access Token, pensato solo per essere usato in fase di build, veniva incluso per errore nei bundle JavaScript distribuiti sul sito.

Risultato? Chiunque poteva leggere il token direttamente dal codice sorgente del sito pubblicato online, con rischi enormi per la sicurezza. Il problema, corretto nella release 4.0.0, riguarda un errore banale ma letale nella gestione della configurazione: un campo contenente la chiave privata non veniva filtrato correttamente e finiva nel codice client.

Con una complessità di attacco bassa, bastava semplicemente visitare il sito e aprire la console del browser per rubare la chiave. Questo caso dimostra, ancora una volta, quanto sia fondamentale trattare con cura ogni informazione sensibile nelle configurazioni, soprattutto in plugin open source e ambienti come WordPress o Docusaurus, che spesso vengono dati per scontati ma gestiscono dati critici.

La popolarità del plugin rende ancora più preoccupante la recente scoperta di una vulnerabilità critica (score 10/10) nel plugin docusaurus-plugin-content-gists per WordPress, che poteva esporre GitHub Personal Access Tokens nei bundle JavaScript destinati al client, rendendoli visibili a chiunque visualizzasse il codice sorgente del sito.

L'articolo Il plugin per WordPress Docusaurus ha una RCE da 10 su 10 di score ed espone le chiavi segrete proviene da il blog della sicurezza informatica.

  • 2
  • 0
  • 4 hours ago
Profile picture

🔴 CVE-2025-53624 (CRITICAL): docusaurus-plugin-content-gists (<4.0.0) leaks GitHub Personal Access Tokens in client JS bundles. Upgrade to 4.0.0+, audit for exposed tokens, and revoke any compromised PATs ASAP! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 17 hours ago

Overview

  • ServiceNow
  • Now Platform

08 Jul 2025
Published
08 Jul 2025
Updated

CVSS v4.0
HIGH (8.2)
EPSS
0.04%

KEV

Description

A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.

Statistics

  • 2 Posts

Fediverse

Profile picture

The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules. It has been codenamed Count(er) Strike. thehackernews.com/2025/07/serv

  • 0
  • 0
  • 5 hours ago

Overview

  • Red Hat
  • Red Hat Build of Keycloak
  • org.keycloak/keycloak-services

10 Jul 2025
Published
10 Jul 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

Statistics

  • 1 Post
  • 8 Interactions

Fediverse

Profile picture

That's an interesting workflow.

access.redhat.com/security/cve

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account.

  • 6
  • 2
  • 3 hours ago

Overview

  • Mitsubishi Electric Corporation
  • PV-DR004J

10 Jul 2025
Published
10 Jul 2025
Updated

CVSS v3.1
HIGH (7.1)
EPSS
0.01%

KEV

Description

Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.

Statistics

  • 2 Posts
  • 1 Interaction

Fediverse

Profile picture

🔎 CVE-2025-5023 (HIGH): Hard-coded credentials in Mitsubishi Electric PV-DR004J/PV-DR004JA (all versions) allow attackers in Wi-Fi range to access or tamper with system data, or cause DoS. Support ended 2020; isolate or replace devices ASAP. More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 8 hours ago
Profile picture

Mitsubishi Electric getting in on the hardcoded creds game. Also in the advisory is a weak password requirements vuln but that's to be expected in OT stuff.

mitsubishielectric.com/psirt/v

nvd.nist.gov/vuln/detail/CVE-2

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 1
  • 5 hours ago

Overview

  • mcp-remote

09 Jul 2025
Published
09 Jul 2025
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
0.10%

KEV

Description

mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL

Statistics

  • 2 Posts

Fediverse

Profile picture

Critical Flaw in mcp-remote Tool Exposes AI Systems to Command Injection Attacks

🚨 Introduction: A Silent Threat Lurking in AI Infrastructure As AI systems grow more interconnected, security vulnerabilities in the foundational tools they rely on can lead to catastrophic consequences. A newly discovered high-severity vulnerability, tracked as CVE-2025-6514, affects the popular mcp-remote proxy tool—a core component used by many LLM (Large Language Model) hosts such as…

undercodenews.com/critical-fla

  • 0
  • 0
  • 7 hours ago
Profile picture

Two critical vulnerabilities were discovered in tools related to the Model Context Protocol (MCP), a standard for connecting AI tools to external systems. The flaws, CVE-2025-6514 and CVE-2025-49596, existed in mcp-remote and MCP Inspector, respectively, and could be exploited for remote code execution. Both vulnerabilities have been patched in recent MCP releases, but researchers warn of potential risks associated with insecure MCP server connections and lack of authentication.
bankinfosecurity.com/serious-f

  • 0
  • 0
  • 20 hours ago

Overview

  • Pending

10 Jul 2025
Published
10 Jul 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process.

Statistics

  • 1 Post
  • 6 Interactions

Fediverse

Profile picture

Ecovacs Whoopsie.

httpscolonforwardslashforwards

During the pairing process, the Ecovacs Deebot T10 creates an open Wi-Fi network, and the mobile app instructs the user to connect to this open, unencrypted Wi-Fi network. Once connected, the mobile app sends the user’s home Wi-Fi network password to the Ecovacs Deebot T10 through cleartext HTTP protocol over the cleartext open Wi-Fi network using the endpoint /rcp.do via POST request.

  • 3
  • 3
  • 2 hours ago

Overview

  • Sudo project
  • Sudo

30 Jun 2025
Published
09 Jul 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.32%

KEV

Description

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Statistics

  • 1 Post
  • 4 Interactions

Fediverse

Profile picture
  • 2
  • 2
  • 9 hours ago

Overview

  • OpenText™
  • Directory Services

10 Jul 2025
Published
10 Jul 2025
Updated

CVSS v4.0
MEDIUM (6.3)
EPSS
0.05%

KEV

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

Code execution in OpenText Directory Services.

sev:MED 6.3 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Clear

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 0
  • 5 hours ago

Overview

  • Palo Alto Networks
  • GlobalProtect App

09 Jul 2025
Published
10 Jul 2025
Updated

CVSS v4.0
HIGH (8.4)
EPSS
0.01%

KEV

Description

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on Windows. The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

@cR0w As I wrote elsewhere, the CVSS for CVE-2025-0141 makes no sense to me. Why is initial system Confidentiality impact Low?

  • 0
  • 2
  • 23 hours ago

Overview

  • notepad-plus-plus
  • notepad-plus-plus

23 Jun 2025
Published
01 Jul 2025
Updated

CVSS v3.1
HIGH (7.3)
EPSS
0.01%

KEV

Description

Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

Notepad++ 8.8.3 mit Sicherheitskorrektur (CVE-2025-49144), Zertifikat und mehr

deskmodder.de/blog/2025/07/10/

  • 0
  • 1
  • 12 hours ago
Showing 1 to 10 of 53 CVEs