Security
Headlines
HeadlinesLatestCVEs

Latest News

Lazarus Group Hunts European Drone Manufacturing Data

The campaign is the latest effort by the North Korean threat actor to collect data of strategic interest to Pyongyang.

DARKReading
Open in Source
Pwn2Own Underscores Secure Development Concerns

Pwn2Own Ireland kicked off on Oct. 21. What researchers found continues to highlight how secure development practices are lacking across the industry.

The Best End User Security Awareness Programs Aren't About Awareness Anymore

The goal is to apply psychology principles to security training to change behaviors and security outcomes.

GHSA-wwxp-hxh6-8gf8: binary_vec_io access memory out-of-bounds in binary_read_to_ref and binary_write_from_ref

Safe functions accept a single `&T` or `&mut T` but multiply by `n` to create slices extending beyond allocated memory when `n > 1`. These functions use `from_raw_parts` to create slices larger than the underlying allocation, violating memory safety. The binary_vec_io repository is archived and unmaintained.

ghsa
Open in Source
#vulnerability#web#auth
GHSA-cqwv-9xh5-25fg: Liferay Portal and DXP are Missing Authorization in Collection Provider

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

GHSA-phjr-p9c5-hprx: Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.

It Takes Only 250 Documents to Poison Any AI Model

Researchers find it takes far less to manipulate a large language model's (LLM) behavior than anyone previously assumed.

No, ICE (Probably) Didn’t Buy Guided Missile Warheads

A federal contracting database lists an ICE payment for $61,218 with the payment code for “guided missile warheads and explosive components.” But it appears ICE simply entered the wrong code.

Too Many Secrets: Attackers Pounce on Sensitive Data Sprawl

Hardcoded credentials, access tokens, and API keys are ending up in the darnedest places, prompting a call for organizations to stop over-privileging secrets.

GHSA-rc54-2g2c-g36g: OpenBao and Vault Leak []byte Fields in Audit Logs

### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`s. This includes, but is not limited to: - `sys/raw` with use of `encoding=base64`, all data would be emitted unredacted to the audit log. - Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. Third-party plugins may be affected. This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4. ### Patches OpenBao v2.4.2 will patch this issue. ### Workarounds If users do not use the above functionality, they are not impacted. To prohibit the use of `sys/raw` globally, ensure `raw_storage_endpoint=false` is set or missing from the server configuration.