Threats Tagged 'cwe-345'

Prior to version 0.32.0, the rtk tool (Rust Token Killer) improperly trusts project-local configuration files by automatically loading .rtk/filters.toml from the working directory without notifying the user. This allows an attacker to place a malicious filter file that modifies shell command outputs via regex-based filters, potentially suppressing or altering output such as file contents, diffs, or security scan results without detection. This vulnerability is fixed in version 0.32.0.

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/default revision. This is a supply-chain integrity issue for pinned vLLM deployments. Operators can believe they are serving a reviewed model revision while vLLM resolves behavior-affecting nested or sibling artifacts outside that reviewed revision. This vulnerability is fixed in 0.22.0.

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, the Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the client-declared Content-Length, which need not match the actual payload. A client can declare a tiny Content-Length while sending a much larger body, slipping past the limit. This vulnerability is fixed in 4.12.25.

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.

Postiz, an AI social media scheduling tool, has an authentication bypass vulnerability in versions prior to 2.21.8. The Skool integration callback signs attacker-controlled JSON data into a session JWT using the app's JWT_SECRET, and the authentication middleware trusts the JWT claims without verifying the user against the database. This allows any authenticated user to forge a SUPERADMIN session and impersonate arbitrary organizations, gaining full access to all parts of Postiz and the ability to post on victims' social media channels. The issue is fixed in version 2.21.8.

CVE-2026-53406 is a high-severity vulnerability in Zoom Communications' Remote Control for Zoom Contact Center for Windows versions prior to 7.0.0. It involves insufficient verification of data authenticity, which may allow an authenticated local user to escalate privileges. The vulnerability has a CVSS 3.1 base score of 7.8, indicating significant impact on confidentiality, integrity, and availability. No official patch or remediation guidance is currently provided by the vendor. There are no known exploits in the wild at this time.

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification. This issue has been patched in version 1.4.0.

WPForms plugin for WordPress versions up to and including 1.10.0.1 has a vulnerability due to insufficient verification of PayPal webhook data authenticity. The plugin processes PayPal webhook JSON payloads without verifying the HMAC-SHA256 signature, allowing unauthenticated attackers who know a valid PayPal subscription_id to forge webhook events. This can lead to unauthorized modification of subscription payment records, such as reactivating cancelled or suspended subscriptions.

The Event Monster plugin for WordPress up to version 2.1.0 has a vulnerability where it insufficiently verifies payment data authenticity. The AJAX handler capture_payment() accepts client-supplied payment details without server-side verification or proper authorization checks. This allows unauthenticated attackers to forge payment records, mark bookings as completed, and receive valid confirmation emails with QR code tickets without paying.