Latest News

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser.

Three international vehicle manufacturers have fallen to supply chain cyberattacks in the past month alone.

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner. "The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The

Hackers stole data on 8,000 nursery children, then called the children's parents, hoping to increase leverage for their ransom demand.

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted. ### Technical details #### Scope The scope of the bug is limited to private messages (application and handshake messages) received in groups. Furthermore, the scope is limited to one epoch and the effects are reset with each epoch transition, or through consecutive group operations without reloading group state in between. #### Functional impact Within each epoch of a group, there is a maximum number of private messages per sender that can be skipped before an error is thrown. The number of messages is set through maximum_forward_distance in the SenderRatchetConfiguration and the default value is 1000. The b...

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7vm2-j586-vcvc. This link is maintained to preserve external references. ## Original Description A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

Security researchers say multiple threat groups, including Iran's Charming Kitten APT offshoot Subtle Snail, are deploying malware with code-signing certificates from the Houston-based company.

### Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces virtual workspace](https://docs.kcp.io/kcp/latest/concepts/workspaces/workspace-initialization/) to run arbitrary patches on the status field of `LogicalCluster` objects while the workspace is initializing. This allows to add or remove any initializers as well as changing the phase of a `LogicalCluster` (to "Ready" for example). As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a `WorkspaceType` that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity. _Who is impacted?_ * Impacts other owners of `WorkspaceTypes` with initializers that are inherited by other `WorkspaceTypes`. * Impacts developers using the `virtual/...