CVE-2025-66301

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/pagename, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through...

HackerOne: Pre-generation of 2FA secret/backup codes seems like an unnecessary risk

If you manage to get a malicious script running in HackerOne, requesting https://hackerone.com/settings/authentication/edit and parsing out the two factor authentication form will yield either… - the 2FA secret key and backup codes that will be used if 2FA is enabled for the first time this sessi...