Latest News

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php

Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field.

Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

Modeling scammers are reinventing old tricks for the social media age—targeting not just the young, but older adults too.

A threat actor is putting a spin on classic remote monitoring and management (RMM) attacks, using a Chinese open source tool instead.

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web

Wanna work for a hot brand? Cyberattackers continue to evolve lures for job seekers in an impersonation campaign aimed at stealing résumés from social media pros.

### Impact A memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a `mload` (or other opcodes which access memory) on memory that had been deallocated using `ret`, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage. All users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted. ### Patches The vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with `ret` was zeroed out or made inaccessible. The fix was included in FuelVM version `v0.60.1` and back-ported t...