Latest News

A cross-site scripting (XSS) vulnerability has been discovered in the Clickstorm SEO extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly encoded user input. Updates 6.7.0, 7.4.0, 8.3.0 and 9.2.0 are available for download.

A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in backend user utilizing the TYPO3 backend user interface. This user can create output in the HTML context by exploiting improperly encoded user input. Updates 1.15.17 and 1.16.9 are available for download.

Today, ensuring the security and integrity of your software supply chain is more critical than ever. Red Hat Advanced Cluster Security for Kubernetes is focused on providing users the tools to tackle the greatest security challenges.One essential tool in this effort is the software bill of materials (SBOM), which provides a comprehensive list of all components and libraries used within a software product. With the growing importance of SBOMs for supply chain security—especially in light of the NIST Executive Order—Red Hat Advanced Cluster Security 4.7 introduces new features for generating

$32B Wiz acquisition: Google ramps up cloud security. Following Mandiant, this deal signals major GCP defense upgrade.

Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software.

### Impact User control of the first argument of the `addImage` method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image urls to the `addImage` method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are: `html`, `addSvgAsImage`. Example payload: ```js import { jsPDF } from "jpsdf" const doc = new jsPDF(); const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined'; const startTime = performance.now() try { doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW"); } catch (err) { const endTime = performance.now() console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`) } doc.save("a4.pdf");...

### Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. ### Patches Update to Contao 4.13.54, 5.3.30 or 5.5.6. ### Workarounds Remove `svg,svgz` from the allowed upload file types in the system settings and from `contao.editable_files` in the `config.yaml`. ### References https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Google Play Store hit by 300+ fake Android apps, downloaded more than 60 million times pushing ad fraud and data theft. Learn how to spot and remove these threats.

Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious code. "This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent

An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain.