Soulseekah

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 10.10.0 **Description** The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability when a user tries to log in via the API URL. After a successful login via the Auth API GET request to `/auth/login/google?redirect`, the user can be redirected to a malicious site. Although credentials are not passed to the attacker site, the user can be phished into clicking a legitimate Directus site and be taken to a malicious site made to look like an error message, potentially leading to password phishing. Users who log in via OAuth2 into Directus may be at risk. **Recommendations** For versions prior to 10.10.0, upgrade to version 10.10.0 to address the issue. As a temporary workaround, consider restricting access to the `/auth/login/google?redirect` API endpoint to minimize the risk of exploitation. Avoid using the `redirect` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FancyBox for WordPress versions prior to 3.0.3 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via a `mfbfw[*]` parameter in an update action to "wp-admin/admin-post.php". This has been exploited in the wild, as demonstrated by the `mfbfw[padding]` parameter. **Recommendations** For versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-post.php" endpoint to minimize the risk of exploitation. Avoid using the `mfbfw[*]` parameter in the affected endpoint until the issue is resolved.