Beware the Hidden Risk in Your Entra Environment

June 25, 2025

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.
A gap in access control in Microsoft Entra’s subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.
All the guest user needs are the permissions to create subscriptions in

Source: Read More

Previous ArticlePro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games

Next Article Cybercrime is surging across Africa

Highlights

CVE-2025-47928 – Spotify/Github Spotipy Untrusted Code Execution Vulnerability

May 15, 2025

CVE ID : CVE-2025-47928

Published : May 15, 2025, 8:16 p.m. | 4 hours, 41 minutes ago

Description : Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on `.github/workflows/integration_tests.yml` followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate `GITHUB_TOKEN` and secrets `SPOTIPY_CLIENT_ID`, `SPOTIPY_CLIENT_SECRET`. In particular `GITHUB_TOKEN` which can be used to completely overtake the repo since the token has content write privileges. The `pull_request_target` in GitHub Actions is a major security concern—especially in public repositories—because it executes untrusted code from a PR, but with the context of the base repository, including access to its secrets. Commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f reverted the change that caused the issue.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

How AI further empowers value stream management

12 Top ReactJS Development Companies in 2025

Not sure where to go with AI? Here’s your roadmap.

This week in AI dev tools: A2A donated to Linux Foundation, OpenAI adds Deep Research to API, and more (June 27, 2025)

Microsoft’s Copilot+ has been here over a year and I still don’t care about it — but I do wish I had one of its features

SteelSeries’ latest wireless mouse is cheap and colorful — but is this the one to spend your money on?

DistroWatch Weekly, Issue 1128

Your Slack app is getting a big upgrade – here’s how to try the new AI features

How Code Feedback MCP Enhances AI-Generated Code Quality

How Code Feedback MCP Enhances AI-Generated Code Quality

PRSS Site Creator – Create Blogs and Websites from Your Desktop

Say hello to ECMAScript 2025

Microsoft’s Copilot+ has been here over a year and I still don’t care about it — but I do wish I had one of its features

Microsoft’s Copilot+ has been here over a year and I still don’t care about it — but I do wish I had one of its features

SteelSeries’ latest wireless mouse is cheap and colorful — but is this the one to spend your money on?

Microsoft confirms Windows 11 25H2, might make Windows more stable

Beware the Hidden Risk in Your Entra Environment

Synology ABM Flaw (CVE-2025-4679) Leaks Global Client Secret, Exposing ALL Microsoft 365 Tenants

D-Link DIR-816 Router Alert: 6 Critical Flaws (CVSS 9.8) Allow Remote Code Execution, NO PATCHES

Professor Rita McGrath on Leading in Times of Uncertainty

CVE-2025-44862 – TOTOLINK CA300-POE Command Injection Vulnerability

CVE-2023-49604 – Apache HTTP Server Remote File Inclusion

SuperTuxKart 1.5 Release Candidate Now Available

CVE-2025-47928 – Spotify/Github Spotipy Untrusted Code Execution Vulnerability

AI-Generated Ad Created with Google’s Veo3 Airs During NBA Finals, Slashing Production Costs by 95%

France’s OVHcloud May Replace Microsoft Azure In Major EU Cloud Shake-Up

Our next-generation model: Gemini 1.5

Beware the Hidden Risk in Your Entra Environment

Related Posts