The Stimulsoft Reports software component is vulnerable to remote code execution (RCE) by using the subreports feature. An RCE vulnerability can be used by an attacker to execute arbitrary code on the server which can be used to exfiltrate data, change or remove data as well as reduce the availability of the service. It can also be used to pivot to other resources within the environment as well as install arbitrary software.| securityblog.omegapoint.se
At Amazon Web Services (AWS), our APIs and service functionality are a promise to our customers, so we very rarely make breaking changes or remove functionality from production services. Customers use the AWS Cloud to build solutions for their customers, and when disruptive changes are made or functionality is removed, the downstream impacts can be […]| Amazon Web Services
A vulnerability in Authentik’s OAuth 2.0 implementation (CVE-2024-52289) allowed attackers to bypass redirect URI validation due to the insecure use of regular expressions. By exploiting this flaw, an attacker could redirect authentication responses to a malicious server, enabling account takeover. Authentik has addressed the issue in patched versions (2024.10.3 and 2024.8.5) by enforcing strict string matching for URI validation.| securityblog.omegapoint.se
This blog covers several potential security issues that were identified in TruffleHog v3; an open source secret scanner. The issues were reported to Truffle Security, the team behind TruffleHog in December 2023.| securityblog.omegapoint.se
CVE-2023-6927 Keycloak vulnerability allows bypassing redirect URI validation which can be used as a vector for stealing authorization codes, access tokens and be used to redirect victims to arbitrary hosts.| securityblog.omegapoint.se
