Latest News

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser.

Three international vehicle manufacturers have fallen to supply chain cyberattacks in the past month alone.

By inflating numbers and narrowing definitions, Heritage promotes a false link between transgender identity and violence in its push for the FBI to create a new terrorism category.

A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner. "The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments," Fortinet FortiGuard Labs researcher Yurren Wan said in a report shared with The

Hackers stole data on 8,000 nursery children, then called the children's parents, hoping to increase leverage for their ransom demand.

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope, but can affect forward secrecy and limit how many messages can be decrypted. ### Technical details #### Scope The scope of the bug is limited to private messages (application and handshake messages) received in groups. Furthermore, the scope is limited to one epoch and the effects are reset with each epoch transition, or through consecutive group operations without reloading group state in between. #### Functional impact Within each epoch of a group, there is a maximum number of private messages per sender that can be skipped before an error is thrown. The number of messages is set through maximum_forward_distance in the SenderRatchetConfiguration and the default value is 1000. The b...

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7vm2-j586-vcvc. This link is maintained to preserve external references. ## Original Description A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.

Security researchers say multiple threat groups, including Iran's Charming Kitten APT offshoot Subtle Snail, are deploying malware with code-signing certificates from the Houston-based company.