XML External Entity | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-2775 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives CVE-2025-2776 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint. The three vulnerabilities were addressed by SysAid in the on-pre...

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as  CVE-2024-22024 , is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication," the company  said  in an advisory. The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including  CVE-2023-46805, CVE-2024-21887 ,  CVE-2024-21888, and CVE-2024-21893 . CVE-2024-22024 affects the following versions of the products - Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18....

A critical vulnerability has been uncovered in Google that could allow an attacker to access the internal files of Google's production servers. Sounds ridiculous but has been proven by the security researchers from Detectify. The vulnerability resides in the Toolbar Button Gallery ( as shown ). The team of researchers found a loophole after they noticed that Google Toolbar Button Gallery allows users to customize their toolbars with new buttons. So, for the developers, it is easy to create their own buttons by uploading XML files containing metadata for styling and other such properties. This feature of Google search engine is vulnerable to  XML External Entity (XXE) . It is an XML injection that allows an attacker to force a badly configured XML parser to " include " or " load " unwanted functionality that can compromise the security of a web application. " The root cause of XXE vulnerabilities is naive XML parsers that blindly interpret the DTD of t...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...