Latest News
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interface. If application code directly imports `set` from `rollbar/src/utility` and then calls `set` with untrusted input in the second argument, it is vulnerable to prototype pollution. POC: ```js const obj = {}; require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable"); console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':''); ``` ### Patches Fixed in version 2.26.5 and 3.0.0-beta5. ### Workarounds If application code directly imports `set` from `rollbar/src/utility`, ensure that the second argument does not receive untrusted input. ### References https://github.com/rollbar/rollbar.js/issues/1333#issuecomment-3353720946
### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. ### Details In the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML. ### PoC 1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `<img src="" onerror="alert('Sticky Header Button XSS')">`. 2. Visit any mainpage article in the wiki using the Citizen skin. <img width="495" height="228" alt="image" src="https://github.com/user-attachme...
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to perform unauthorized actions such as modifying the admin account credentials.
"FD-SOI" makes hardware attacks on silicon chips more difficult. And, researchers argue, it'll help OEMs with regulatory compliance.
The sophisticated worm — which uses invisible code to steal credentials and turn developer systems into criminal proxies — has so far infected nearly 36k machines.
This week on the Lock and Code podcast… Google is everywhere in our lives. It’s reach into our data extends just...
Amazon Web Services experienced DNS resolution issues on Monday morning, taking down wide swaths of the web—and highlighting a long-standing weakness in the internet's infrastructure.
Chinese gangs are using US SIM farms and money mules to run industrial-scale text scams that steal and launder Americans’ card data.
It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect. Here’s a quick look at this week’s top threats, new tactics, and security stories shaping