Monthly
Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.
Cross-service CAS ticket replay in Symfony's Cas2Handler enables an attacker who controls any co-registered CAS application to authenticate as an arbitrary victim user against the target Symfony application. The flaw exists because Cas2Handler constructs the CAS service validation URL from the HTTP Host header - an attacker-supplied value - rather than a statically configured URL, a condition that exists by default since framework.trusted_hosts is not configured in standard Symfony installations. Affected packages are symfony/security-http and symfony/symfony from 7.1.0 through 7.4.11 and 8.0.0 through 8.0.11; no public exploit has been identified at time of analysis.
Authentication bypass in Symfony's X509Authenticator (security-http component) lets an attacker who holds any certificate issued by a trusted CA impersonate another user during client-certificate (mTLS) authentication. Symfony extracts the login identifier from the certificate Subject DN using an unanchored regex, so an attacker can embed 'emailAddress=victim@target' inside a free-text CN value and be authenticated as that victim. A vendor patch is available across all maintained branches; there is no public exploit identified at time of analysis, and no CVSS, EPSS, or CISA KEV data exists for this CVE.
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.
Authenticated role spoofing in Microsoft UFO's WebSocket control plane (version 3.0.1-4-ge2626659) lets any client holding the shared server token impersonate the higher-privilege "constellation" role and hijack tasks belonging to other connected devices. The server trusts the client_type and target_id values carried in each TASK message instead of binding them to the role established when the WebSocket connection registered, and it also permits duplicate client_id registration that overwrites a live peer's stored socket and role. Rated CVSS 8.8 (high) with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis.
Cross-service CAS ticket replay in Symfony's Cas2Handler enables an attacker who controls any co-registered CAS application to authenticate as an arbitrary victim user against the target Symfony application. The flaw exists because Cas2Handler constructs the CAS service validation URL from the HTTP Host header - an attacker-supplied value - rather than a statically configured URL, a condition that exists by default since framework.trusted_hosts is not configured in standard Symfony installations. Affected packages are symfony/security-http and symfony/symfony from 7.1.0 through 7.4.11 and 8.0.0 through 8.0.11; no public exploit has been identified at time of analysis.
Authentication bypass in Symfony's X509Authenticator (security-http component) lets an attacker who holds any certificate issued by a trusted CA impersonate another user during client-certificate (mTLS) authentication. Symfony extracts the login identifier from the certificate Subject DN using an unanchored regex, so an attacker can embed 'emailAddress=victim@target' inside a free-text CN value and be authenticated as that victim. A vendor patch is available across all maintained branches; there is no public exploit identified at time of analysis, and no CVSS, EPSS, or CISA KEV data exists for this CVE.
Bluetooth LE bond downgrade in Silicon Labs Simplicity SDK allows an adjacent attacker to weaken connection security by deleting an existing bond, impersonating the previously bonded peer, and forcing a new pairing under attacker-controlled parameters. The flaw enables compromise of confidentiality, integrity, and availability of BLE communications on devices built with the affected SDK, and no public exploit has been identified at time of analysis.
Trilium Notes Electron desktop application on macOS, versions 0.102.1 and prior, permits local attackers to spoof macOS Transparency, Consent, and Control (TCC) permission prompts by exploiting the enabled RunAsNode Electron fuse, which allows arbitrary Node.js code to execute under Trilium's trusted identity. An attacker with local code execution can spawn a subprocess inheriting Trilium's macOS identity and then request TCC-protected resources - camera, microphone, screen, ~/Documents, ~/Downloads - causing the system prompt to appear as if the legitimate Trilium Notes app is requesting access, not the attacker. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the social-engineering angle makes it particularly dangerous for macOS users who extend implicit trust to Trilium. Version 0.102.2 resolves the issue by disabling the RunAsNode fuse.
Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
Spoofing via the Form Autofill component in Mozilla Firefox allows a network-based attacker to achieve high integrity impact against users who interact with attacker-controlled content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) confirms no authentication is required from the attacker side, but a victim must interact with malicious content for the attack to succeed. No public exploit code has been identified at time of analysis, and EPSS sits at 0.02% (5th percentile), indicating very low observed exploitation probability; the vulnerability is not listed in the CISA KEV catalog.
Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151.
Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151.
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take over accounts, including highly privileged administrative ones. Exploitation requires the victim to click an attacker-crafted link, after which an existing SSO session causes transparent authentication into the attacker-controlled flow. No public exploit identified at time of analysis, but Red Hat has confirmed the flaw in Red Hat Build of Keycloak.