GHSA-4XPC-PV4P-PM3W

Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes

Between July 8 and July 11, 2023, in a campaign documented by Checkmarx, attackers pushed malicious commits to hundreds of public and private GitHub repositories while disguising them as automated contributions from the legitimate Dependabot bot. The attackers obtained victims' GitHub Personal Access Tokens, likely exfiltrated from developer machines via a malicious open-source package, and used those tokens to push commits whose author and commit message ('fix') were falsified to appear as the dependabot[bot] account, since Git and the GitHub API let a token holder set arbitrary commit metadata and PAT activity does not surface in the account audit log. Each malicious commit added a GitHub Actions workflow file (hook.yml) that triggered on every push and exfiltrated the project's defined secrets and environment variables to an attacker-controlled command-and-control server. The same commits modified existing JavaScript files in the repository, injecting obfuscated web-form password-stealer code that captured credentials submitted by end users and forwarded them to the same server. Most affected accounts belonged to Indonesian developers.

On March 28, 2021, attackers compromised PHP's self-hosted Git server at git.php.net and pushed two malicious commits directly to the php-src master branch, the canonical source for the PHP interpreter used by a large share of the web. The first commit was disguised as a minor typo fix and the second as a revert, with the author and committer fields forged to impersonate PHP creator Rasmus Lerdorf and core maintainer Nikita Popov, exploiting the fact that Git lets anyone locally set arbitrary commit authorship. The injected code added a backdoor in the request-handling path that inspected the incoming User-Agentt header and, if its value began with the string zerodium, passed the remainder to zend_eval_string to execute attacker-supplied PHP code, yielding unauthenticated remote code execution on any server built from the poisoned source. The code carried the comment 'REMOVETHIS: sold to zerodium, mid 2017'. Maintainers caught the commits during routine post-commit review and reverted them before any release build incorporated them, and investigators concluded the git.php.net server itself was breached rather than an individual account. In response, PHP discontinued its own Git infrastructure and moved the canonical repository to GitHub.

CakePHP Authentication: Open redirect weakness via backslash bypass

Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation