A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-222w-xmc5-jhp3: Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability

A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a…

A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data.

A new hacking group with ties to Russia has been identified by cybersecurity researchers at Bitdefender. The group, dubbed Curly COMrades, is actively targeting countries in Eastern Europe that are experiencing geopolitical tensions.

According to Bitdefender’s investigation, shared with Hackread.com ahead of its publication, the attacks began in mid-2024. The group’s targets include government bodies and an energy distribution company in Eastern Europe, specifically in Georgia and Moldova, where geopolitical tensions are high. The main goal of these hackers is to spy on their targets and steal sensitive information.

The Curly COMrades is using advanced techniques to stay hidden and maintain long-term access to their victims’ computer networks. One of their key tools is a new type of backdoor called MucorAgent. What makes this malware particularly clever is how it stays on a computer. The hackers found a way to hijack a built-in Windows component called NGEN, which normally helps applications run faster.

By exploiting a dormant scheduled task within NGEN, the hackers can secretly reactivate their malware at random times, such as when the computer is idle or a new program is installed. This unpredictable method makes it much harder for security teams to detect and remove the threat. Researchers noted that this technique, leveraging CLSID hijacking in conjunction with NGEN, is “unprecedented in our observations.”

The group also uses specialized proxy tools like Resocks and Stunnel, as well as other methods like Mimikatz and DCSync, to steal passwords and other credentials. This tactic helps them blend in with normal internet activity, bypassing many security systems.

So, what happens is that Curly COMrades gain access to a computer network, set up a secret pathway using tools like Resocks and Stunnel, and install MucorAgent malware. This malware tricks NGEN, hijacking a hidden task and reappearing even after removal. Hackers use compromised websites as decoys to send the stolen information back to their servers, making it difficult to trace.

Source: Bitdefender

In their technical report, Bitdefender explained that the group’s name, Curly COMrades, comes from the hackers’ heavy use of the “curl.exe” tool and their focus on hijacking COM objects. Researchers chose the name to avoid giving threat actors “cool” or “fancy” names, as is the current trend within the cybersecurity community, arguing that it can inadvertently glorify them. They believe that by choosing a less flattering name, they can “de-glamorize cybercrime, stripping away any perception of sophistication or mystique.”

Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe

Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself.

The next time you shake your head at another online scam and vow that you’d never fall for it, remember that even the most tech-savvy people can sometimes slip up.

A case in point: Julie-Anne Kearns. This self-made scam-hunter told her story to the Guardian last week, revealing how she had been duped by people pretending to be from His Majesty’s Revenue and Customs (HMRC), which is the UK’s version of the US Internal Revenue Service (IRS).

Kearns had first pursued scam-hunting when spotting an attempt to scam her in 2022. After reporting on it on her TikTok account, she started hearing from plenty of people sharing their own experiences of online scams. Although she worked full time for the UK’s National Health Service, she began helping victims track down online criminals.

As her following grew, more online scammers tried to dupe her. Eventually, one succeeded.

It was a classic refund scam, with the criminals impersonating HMRC and sending Kearns a letter telling her she had a rebate. They asked for extra details to confirm her identity, and because the letter seemed consistent with others from the real HMRC, Kearns complied.

Kearns sent the scammers copies of her passport and driving license. The scammers promptly used those materials to claim Kearns’s rebate, and also sold the information on the dark web. The identity thieves started a business in Kearns’s name and took out loans. This tanked her credit rating and also left her battling a legal claim for non-payment of a £16,000 loan that she never took out.

“I worried about whether to share that I’d been scammed,” Kearns told the Guardian. She decided to tell all, because she hoped it might help others avoid the same fate.

Kearns isn’t the only savvy person in the cybersecurity field to fall victim to scammers. Others who are clued into scams have also been taken in. Cybersecurity researcher Troy Hunt fell victim to a phishing attack in March, after someone pretending to be from his newsletter distribution provider Mailchimp sent a bogus notification about penalties to his account. In the attack, the scammer stole around 16,000 records belonging to his blog subscribers.

“I’m enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list,” Hunt wrote at the time.

Jim Browning, a scam hunter who regularly goes after online criminals halfway around the world, also suffered from a phishing attack in 2021. Criminals pretending to be from YouTube used Google Chat to send an email from the Google domain, convincing him to delete his YouTube channel.

“It wasn’t exactly my finest hour, but it does go to prove that anyone can be scammed if the circumstances are exactly right,” he said after getting his channel reinstated.

These experiences illustrate why victim shaming is such a pointless exercise. If people with experience in scamming sometimes get scammed themselves, then it’s understandable that those with less expertise in online crime also get taken in.

Even those trying to protect themselves will run across situations where they let their guard down, whether it’s phishing, answering seemingly legitimate letters from the tax department, or falling for a romance scam because they’re lonely.

Shame is a powerful weapon. When someone is caught in a scam, fear of speaking out can make things worse. So, if there’s someone you know who has been caught in a scam, have some compassion, and a non-judgmental ear.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Scam hunter scammed by tax office impersonators 

The first documented deployment of the novel malware in a campaign against the Middle Eastern public sector and aviation industry may be tied to China's state-sponsored actor Earth Baxia.

Charon Ransomware Emerges With APT-Style Tactics

Securing business logic isn't just a technical requirement — it's a business imperative.

How to Stay a Step Ahead of a Non-Obvious Threat

A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks.
"They repeatedly tried to extract the NTDS database from domain controllers -- the primary repository for user password hashes and authentication data in a Windows network,"

New ‘Curly COMrades’ APT Using NGEN COM Hijacking in Georgia, Moldova Attacks

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

The text message tells you that the item does not meet Amazon’s standards, and tries to install some urgency by claiming it is not safe to use. It also includes a link where it says you can find more information and claim a refund.

> “Amazon Safety Recall: We are contacting you because the product you purchased is being recalled. This recall is due to quality and safety issues. We urge you to stop using the product immediately and contact us to arrange a full refund. You can view your order details at the following link:
> 
> Safety Recall: Order Number:#-142-15261-31435 Your safety is our top priority, please visit our website for more details and instructions. We apologize for the inconvenience and disappointment this may cause you.
> 
> Thank you for shopping at Amazon.”

Of course the link doesn’t go anywhere near Amazon, it’s actually a shortened URL that sends you to amazonzbzc\[.\]co. This is a known phishing site that mimics Amazon, and is after your personal information or to steal your money.

The text messages are intentionally vague about the nature of the product or the exact issue they are being recalled for. This is done so a maximum number of people will think that this might concern them. If the scammers said that the TV you bought might explode, you wouldn’t click the link if you hadn’t purchased a TV recently.

The Federal Trade Commission even issued a warning about these scams back in July, illustrating how this type of scam tactic is growing.

**How to avoid Amazon phishing scams**

*   If you receive a text like this, don’t click on any links. Instead, check if it’s legit by logging in to the Amazon app or website, then going to **Message Centre** under **Your Account**. Legitimate messages from Amazon will appear there.
*   Report the scam to Amazon itself, whether you’ve fallen for it or not. US citizens can send unwanted texts to 7726(SPAM) or use the **Report Junk** option.
*   Set up two-step verification for your Amazon account. This puts an extra barrier between you and the scammers if they do manage to get hold of your login details.
*   Scammers sometimes use information they’ve found online to personalize their scam messages. Check what information is already out there about you using our free Digital Footprint Scanner and then remove or change as much of it as you can.
*   Install web protection that can warn you of phishing sites, card skimmers, and other nasties that could lead to your data being taken.
*   Lastly, if you’ve fallen for this or a similar scam, change your Amazon password and anywhere else you use that password. Also, make sure to monitor your card statements for any unfamiliar charges, and contact your bank immediately if you see anything suspicious.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 That &#8220;Amazon Safety Recall&#8221; message may well be a scam 

A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service.

**Package**

maven com.liferay.portal:release.dxp.bom (Maven)

**Affected versions**

\>= 2025.Q1.0, <= 2025.Q1.8

\>= 2024.Q4.0, <= 2024.Q4.7

\>= 2024.Q3.0, <= 2024.Q3.13

\>= 2024.Q2.0, <= 2024.Q2.13

\>= 2024.Q1.0, <= 2024.Q1.16

<= 7.4.13.u92

**Patched versions**

2025.Q1.9

2024.Q1.17

maven com.liferay.portal:release.portal.bom (Maven)

maven com.liferay:com.liferay.account.admin.web (Maven)

maven com.liferay:com.liferay.frontend.taglib (Maven)

maven com.liferay:com.liferay.image.uploader.web (Maven)

maven com.liferay:com.liferay.users.admin.web (Maven)

GHSA-cg99-m88x-422c: Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability

A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulnerability allows attackers to cause excessive memory allocation through unbounded resource consumption, potentially leading to denial of service. The issue is located in the ASN1ObjectIdentifier.java file in the core module.

This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 2.0.0.

GHSA-67mf-3cr5-8w23: Bouncy Castle for Java on All (API modules) allows Excessive Allocation

Dozens of companies are hiding how you can delete your personal data, The Markup and CalMatters found.

Data brokers are required by California law to provide ways for consumers to request their data be deleted. But good luck finding them.

More than 30 of the companies, which collect and sell consumers’ personal information, hid their deletion instructions from Google, according to a review by The Markup and CalMatters of hundreds of broker websites. This creates one more obstacle for consumers who want to delete their data.

Many of the pages containing the instructions, listed in an official state registry, use code to tell search engines to remove the page entirely from search results. Popular tools like Google and Bing respect the code by excluding pages when responding to users.

Data brokers nationwide must register in California under the state’s Consumer Privacy Act, which allows Californians to request that their information be removed, that it not be sold, or that they get access to it.

After reviewing the websites of all 499 data brokers registered with the state, we found 35 had code to stop certain pages from showing up in searches.

While those companies might be fulfilling the letter of the law by providing a page consumers can use to delete their data, it means little if those consumers can’t find the page, according to Matthew Schwartz, a policy analyst at Consumer Reports who studies the California law governing data brokers and other privacy issues.

“This sounds to me like a clever work-around to make it as hard as possible for consumers to find it,” Schwartz said.

After The Markup and CalMatters contacted the data brokers, eight said they would review the code on their websites or remove it entirely, and another two said they had independently deleted the code before being contacted. The Markup and CalMatters confirmed nine of the 10 companies removed the code.

Two companies said they added the code intentionally to avoid spam at the recommendation of experts and would not change it. The other 24 companies didn’t respond to a request for comment; however, three removed the code after The Markup and CalMatters contacted them. After publication, one company that did not previously respond, USPeopleSearch.com, said it had removed the code.

(See the data on our GitHub repo.)

Most of the companies that did respond said they were unaware the code was on their pages.

“The presence of the \[code\] on our opt-out page was indeed an oversight and not intentional,” May Haddad, a spokesperson for data company FourthWall, said in an emailed response. “Our team promptly rectified the issue upon being informed. As a standard practice, all critical pages—including opt-out and privacy pages—are intended to be indexed by default to ensure maximum visibility and accessibility.” The Markup and CalMatters confirmed that the code had been removed as of July 31.

Some companies that hid their privacy instructions from search engines included a small link at the bottom of their homepage. Accessing it often required scrolling multiple screens, dismissing pop-ups for cookie permissions and newsletter sign-ups, then finding a link that was a fraction the size of other text on the page.

So consumers still faced a serious hurdle when trying to get their information deleted.

Take the simple opt-out form for ipapi, a service offered by Kloudend that finds the physical locations of internet visitors based on their IP addresses. People can go to the company’s website to request that the company “Do Not Sell” their personal data or to invoke their “Right to Delete” it—but they would have had trouble finding the form, since it contained code excluding it from search results. A spokesperson for Kloudend described the code as an “oversight” and said the page had been changed to be visible to search engines; The Markup and CalMatters confirmed that the code had been removed as of July 31.

Telesign, a company that advertises fraud-prevention services for businesses, offers a simple form for “Data Deletion” and “Opt Out / Do Not Sell.” But that form is hidden from search engines and other automated systems and isn’t linked on its homepage.

Instead, consumers must search about 7,000 words into a privacy policy filled with legalese to find a link to the page.

A spokesperson for Telesign didn’t respond to a request for comment.

Five of the pages listed in the California registry not only aren’t indexed for search, they don’t exist. For example, a company called BrightCheck, which offers “AI-driven identity verification,” lists a privacy instructions page on the California registry. But when The Markup and CalMatters visited the page in late July, we found a notice that the page no longer exists. The page was there on March 18 when The Markup and CalMatters first scanned the site, and the Wayback Machine has an archive of the page from February 14.

BrightCheck didn’t respond to a request for comment.

**The CCPA**

The California Consumer Privacy Act went into effect in 2020, governing companies that make most of their revenue from selling consumer data or who make more than $25 million per year or handle the data of more than 100,000 people in the state. With no comprehensive federal privacy law, the law is among the few regulations data brokers must comply with.

California’s most recent broker database lists nearly 500 companies, most of which consumers have likely never heard of. They include businesses with zippy startup names like StatSocial and UpLead, and they offer everything from email marketing tools to contact directories. CalMatters last year published a guide with information on how consumers can exercise their rights using the database or third-party tools and on how they can request deletion of their children' s information.

Tom Kemp, executive director of the entity tasked with enforcing the privacy law, the California Privacy Protection Agency, said in an interview that the agency had reproduced The Markup and CalMatters’ findings. While he declined to comment on any particular company’s practices, he pointed to an enforcement advisory from the agency on “dark patterns,” which are design choices that have “the substantial effect of subverting or impairing a consumer’s autonomy, decisionmaking, or choice.”

If a company makes it much more difficult to choose to remove their personal data than to contribute it, or includes excessive jargon or other hurdles for consumers to jump through to remove it, according to the advisory, they might be violating the law.

This year, the privacy agency has taken enforcement action against companies including Todd Snyder and Honda for, among other violations, making it too difficult to choose to not have their data used. Todd Snyder paid a nearly $350,000 fine this year, while Honda agreed to pay more than $630,000. Both agreed to overhaul their privacy practices.

Kemp said that, when determining whether a company has violated the privacy act, it’s important to determine whether there’s a pattern of activity making it difficult for consumers to exercise their rights. Hiding a privacy instructions page could be the first “thread” in determining whether a company is shirking their obligations.

In the past, other companies have been criticized for hiding important web pages from search engines. In 2019, ProPublica revealed how the company behind tax filing service TurboTax added code to effectively hide an option for users to file their taxes for free. A 2021 report from the Wall Street Journal found that hospitals were hiding prices they were required to post under federal transparency rules.

Recognizing that most Californians have never heard of the hundreds of companies in the data broker registry, lawmakers in California recently passed the Delete Act. The law will create a system called the Delete Request and Opt-out Platform, or DROP, which will allow consumers in California to send a single, legally binding request to all data brokers on the registry at one time. The privacy protection agency intends to launch it next year.

Methodology

_In the course of our investigation, we made adjustments to some URLs in California's registry. For 64 sites, we removed “www.” from the beginning of the domain name to resolve server errors. For an additional 16 sites, we manually edited the URL to get to a working page. In some cases, we fixed a typo, in others, we visited the broker's main site and found the correct link by navigating to it. Read our full methodology here._

_Updated 9:05 am ET, August 13, 2025: Following publication, additional data brokers said they would review or remove the code on their websites. The story has been updated to reflect this._

Latest News