Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-qhj8-q5r6-8q6j: matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method

In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. ### Patches The issue is fixed in matrix-sdk-base 0.14.1. ### Workarounds The affected method isn’t used internally, so avoiding calling `RoomMember::normalized_power_level()` prevents the panic.

ghsa
Open in Source
#vulnerability#web#auth
GHSA-4hjh-wcwx-xvwj: Axios is vulnerable to DoS attack through lack of data size check

## Summary When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. ## Details The Node adapter (`lib/adapters/http.js`) supports the `data:` scheme. When `axios` encounters a request whose URL starts with `data:`, it does not perform an HTTP request. Instead, it calls `fromDataURI()` to decode the Base64 payload into a Buffer or Blob. Relevant code from [`[httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231)`](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adap...

Vyro AI Leak Reveals Poor Cyber Hygiene

The data leak underscores the larger issue of proprietary or sensitive data being shared with GenAI by users who should know better.

'Gentlemen' Ransomware Abuses Vulnerable Driver to Kill Security Gear

By weaponizing the ThrottleStop.sys driver, attackers are disrupting antivirus and endpoint detection and response (EDR) systems.

How China’s Propaganda and Surveillance Systems Really Operate

A series of corporate leaks show that Chinese technology companies function far more like their Western peers than one might imagine.

Apple CarPlay RCE Exploit Left Unaddressed in Most Cars

Even when a vulnerability is serious and a fix is available, actually securing cars is more difficult than one would hope.

F5 to Acquire CalypsoAI for Advanced AI Security Capabilities

F5 plans to use CalypsoAI's platform to provide real-time threat defense against attacks and help enterprises safeguard themselves as they adopt the latest AI technologies.

AI-Enhanced Malware Sports Super-Stealthy Tactics

With legit sounding names, EvilAI's "productivity" apps are reviving classic threats like Trojans while adding new evasion capabilities against modern antivirus defenses.

GHSA-5wxc-3jfw-w94p: Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.

GHSA-wr8m-5h2p-4432: Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.