Latest News
This week on the Lock and Code podcast, we speak with Peter Dolanjski about the internet's thirst for your data, and how to stay private.
New research from Check Point Research reveals the Iranian cyber group Nimbus Manticore is targeting defence, telecom, and aerospace companies in Europe with fake job offers. Learn how they use advanced malware to steal sensitive data.
The U.S. Secret Service on Tuesday said it took down a network of electronic devices located across the New York tri-state area that were used to threaten U.S. government officials and posed an imminent threat to national security. "This protective intelligence investigation led to the discovery of more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites," the Secret
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
# Summary A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profile # Description DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that are returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML.
# Summary Users that can edit modules could set a title that includes scripts. # Description Some users (administrators and content editors) can set html in module titles and that could include javascript which could be used for XSS based attacks. With the addition of more roles being able to set module titles, this is not strictly limited to administrators. However since HTML in module titles could be a valid use case, we have added a setting for this functionality in the Security module in the Persona Bar.
# Summary The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). # Description The application sanitizes most user-submitted data before displaying it in entry forms. However, the Prompt module is capable of running commands whose output is treated as HTML. This creates a vulnerability where a malicious user can craft input containing embedded scripts or harmful markup. If such malicious content is later processed by a Prompt command and returned as HTML, it bypasses the standard sanitation mechanisms. Simply executing a specific command through the Prompt module could render this untrusted data and cause unintended script execution in the browser specially in the context of a super-user.
Newly released data shows Customs and Border Protection funneled the DNA of nearly 2,000 US citizens—some as young as 14—into an FBI crime database, raising alarms about oversight and legality.
A lack of restrictions allowed data hoarders to steal sensitive and copyrighted material from the AAPB website for years.