For those of you looking to get an early jump on your holiday shopping.

RCE in Apache Causeway. https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b

infosec dot exchange is fine blog dot gayint dot org is fine intel dot gayint dot org is fine# THIS SMUGNESS IS FINE

WTF? LMAO.

GitHub

Hardcoded credentials in onlyoffice module

### Impact A hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowled...

> NixOS has hardcoded credentials in Onlyoffice module

I've seen a bunch of posts lately saying that there are a lot of new people to Mastodon and offering tips. Since we all use this place differently, I figured I might as well offer some things I do to enjoy it more. <li><p>Block and mute liberally. It's not hostile, it's not personal, it's simply part of curating your feed. That includes filtering on words and hashtags. </p></li><li><p>Use hashtags. A lot. I forget to do it myself but it's the best way to connect with others interested in whatever your posts are about. But be cool, keep them relevant and not spammy. And don't forget you can follow hashtags.</p></li><li><p>Hide your follower count. This isn't a big deal for everyone, but I like not knowing how many followers I have. It prevents that common focus on follower count and enables be to focus on interactions with people. Which is why I'm here. </p></li><li><p>Add alt text to images when possible. It helps for people using screen readers but it also helps for when images don't load because of Internet filters, low throughput, etc. It can also help provide context to an image. </p></li><li><p>Post and let post. We're all here for different reasons and use this place differently. Don't police others unless they are actually harmful. Not adding alt text or using acronyms you don't know are not harmful. </p></li> All that said, welcome. And happy shitposting. :brdKnife:

Whoopsie.

cve-details

> A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

#directoryTraversalMemes

Y'all like AIX vulns, right? How about four of them? Okay well what if three are sev:CRIT? Fine, one is a perfect 10 if that's what it takes to get y'all to care. 🥳

Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2025-36251, CVE-2025-36250), insufficiently protected credentials (CVE-2025-36096), and path traversal (CVE-2025-36236)

Vulnerabilities in AIX could allow a remote attacker to execute arbitrary commands (CVE-2025-36251, CVE-2025-36250), obtain Network Installation Ma...

> Vulnerabilities in AIX could allow a remote attacker to execute arbitrary commands (CVE-2025-36251, CVE-2025-36250), obtain Network Installation Manager (NIM) private keys (CVE-2025-36096), or traverse directories (CVE-2025-36236). These vulnerabilities are addressed through the fixes referenced as part of this bulletin. These vulnerabilities are exploitable only when an attacker can establish network connectivity to the affected host.

Whoopsie. > Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary code by placing a malicious .sfw.config> file in a project directory. When a developer runs Socket Firewall commands (e.g., sfw npm install> ) in that directory, the tool loads the .sfw.config> file and populates environment variables directly into the Node.js process. An attacker can exploit this by setting NODE_OPTIONS> with a --require> directive to execute malicious JavaScript code before Socket Firewall's security controls are initialized, effectively bypassing the tool's malicious package detection. The attack vector is indirect and requires a developer to install dependencies for an untrusted project and execute a command within the context of the untrusted project. The vulnerability has been patched in Socket Firewall version 0.15.5. Users should upgrade to version 0.15.5 or later. The fix isolates configuration file values from subprocess environments. Look at sfw --version> for version information. If users rely on the recommended installation mechanism (e.g. global installation via npm install -g sfw> ) then no workaround is necessary. This wrapper package automatically ensures that users are running the latest version of Socket Firewall. Users who have manually installed the binary and cannot immediately upgrade should avoid running Socket Firewall in untrusted project directories. Before running Socket Firewall in any new project, inspect .sfw.config> and .env.local> files for suspicious NODE_OPTIONS> or other environment variable definitions that reference local files.

GitHub

External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw

### Impact Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in unt...