JWT Validation Failure In Jupyter Hub, Arbitrary File Upload and SQL Injection in Mattermost, Path Traversal File Deletion in Mautic, Desrialization Of Untrusted Data in MetaSlider and more

Week ending 27th Feb, 2025.

Key vulnerabilities to be discussed include:

• JWT Validation Failure in JupyterHub
• Arbitrary File Upload and SQL Injection in Mattermost, where versions of Mattermost are failing to properly validate board blocks when importing boards and failing to use prepared statements in SQL queries
• Path Traversal File Deletion in Mautic, where improper handling of path components allows authenticated users to manipulate file deletion processes
• Deserialization of Untrusted Data in MetaSlider, potentially leading to object injection

The podcast will also cover unrestricted file uploads, authentication bypasses, and SQL injection flaws in systems like GreaterWMS, Everest Forms, XOne Web Monitor and Tenda routers.