Latest News

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. Liferay Portal is fixed on the master branch from commit acc4771.

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper. But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in

Attackers are wielding the sophisticated modular malware while exploiting CVE-2025-29824, a previously zero-day flaw in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems.

Led by US senator Jon Ossoff, the investigation cites hundreds of reports since January, including accounts of miscarriages, child neglect, and sexual abuse at ICE detention centers in dozens of states.

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using…

Nearly a million records, which appear to be linked to a medical-cannabis-card company in Ohio, included Social Security numbers, government IDs, health conditions, and more.

### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. ### Details On-demand rendered sites built with Astro include an `/_image` endpoint which returns optimized versions of images. The `/_image` endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the [`image.domains`](https://docs.astro.build/en/reference/configuration-reference/#imagedomains) or [`image.remotePatterns`](https://docs.astro.build/en/reference/configuration-reference/#imageremotepatterns) options). However, a bug in impacted versions of `astro` allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. `/_image?href=//example.com/image.png`. ### Proof of Concept 1. Create a new minimal Astro project (`as...

Startups are ready to bring AI powered toys to the market as an alternative for screen time. But is that really progress?

### Summary There is no authentication of any kind. ### Details TLS is implemented, the tunnel between the client and server is secure, however once data is on the server, it's free to be read by any adversaries. On the client side : https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L221 It should be using a TLS Config with RootCAs and Certificates, currently RootCAs only (under NewClientTLSFromFile) And on the server side, there should be ClientCAs and ClientAuth filled. ### PoC To bypass as is, the simplest way is to take the client and modify the code as such : Modified from https://github.com/hydraide/hydraide/blob/main/sdk/go/hydraidego/client/client.go#L209 ```go // hostOnly := strings.Split(server.Host, ":")[0] // creds, certErr := credentials.NewClientTLSFromFile(server.CertFilePath, hostOnly) // if certErr != nil { // slog.Error("error while loading TLS credentials: ", "error", certErr, "server", server.Host, "fromIsland", se...

### Impact A stored **Cross-Site Scripting (XSS)** vulnerability was identified in [n8n](https://github.com/n8n-io/n8n), specifically in the **Form Trigger** node's **HTML form element**. An authenticated attacker can inject malicious HTML via an `<iframe>` with a `srcdoc` payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using `<video>` coupled `<source>` using an `onerror` event. While using `iframe` or a combination of `video` and `source` tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating `n8n-browserId` and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account—especially if 2FA is not enabled. ### Patches The issue was addressed in [PR #16329](https://github.com/n8n-io/n8n/pull/16329). Users should upgrade to versio...