The Stimulsoft Reports software component is vulnerable to remote code execution (RCE) by using the subreports feature. An RCE vulnerability can be used by an attacker to execute arbitrary code on the server which can be used to exfiltrate data, change or remove data as well as reduce the availability of the service. It can also be used to pivot to other resources within the environment as well as install arbitrary software.| securityblog.omegapoint.se
A vulnerability in Authentik’s OAuth 2.0 implementation (CVE-2024-52289) allowed attackers to bypass redirect URI validation due to the insecure use of regular expressions. By exploiting this flaw, an attacker could redirect authentication responses to a malicious server, enabling account takeover. Authentik has addressed the issue in patched versions (2024.10.3 and 2024.8.5) by enforcing strict string matching for URI validation.| securityblog.omegapoint.se
This blog covers several potential security issues that were identified in TruffleHog v3; an open source secret scanner. The issues were reported to Truffle Security, the team behind TruffleHog in December 2023.| securityblog.omegapoint.se
In this blog, we'll dive deeply into two potential security issues that Omegapoint identified in AWS API Gateway authorizers. We reported these issues to AWS in November 2022 and January 2023. AWS rolled out mitigations to all AWS customer accounts in May 2023.| securityblog.omegapoint.se