Latest News

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 138.0.3351.109 7/25/2025 138.0.7204.168/.169

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 138.0.3351.109 7/25/2025 138.0.7204.168/.169

Arrests and indictments keep coming, but the North Korean fake IT worker scheme is only snowballing, and businesses can't afford to assume their applicant-screening processes are up to the task of weeding the imposters out.

Medusa Ransomware breached NASCAR, demanded $4 million, leaked sensitive data including maps and staff info, exposing major security failures. The incident was exclusively reported by Hackread.com.

A cybercriminal managed to insert malicious files leading to info stealers in a pre-release of a game on the Steam platform

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application.

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned a North Korean front company and three associated individuals for their involvement in the fraudulent remote information technology (IT) worker scheme designed to generate illicit revenues for Pyongyang. The sanctions target Korea Sobaeksu Trading Company (aka Sobaeksu United Corporation), and Kim Se Un, Jo

**Path-Traversal -> Arbitrary File Write in Assemblyline Service Client** --- ## 1. Summary The Assemblyline 4 **service client** (`task_handler.py`) accepts a SHA-256 value returned by the service **server** and uses it directly as a local file name. > No validation / sanitisation is performed. A **malicious or compromised server** (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. --- ## 2. Affected Versions | Item | Value | |---|---| | **Component** | `assemblyline-service-client` | | **Repository** | [CybercentreCanada/assemblyline-service-client](https://github.com/CybercentreCanada/assemblyline-service-client) | | **Affected** | **All releases up to master branch.** | --- ## 4. Technical Details | Field | Content | |---|---| | **Location** | `assemblyline_service_client/task_handler.py`, inside `download_file()` | | **V...

The threat actor known as Patchwork has been attributed to a new spear-phishing campaign targeting Turkish defense contractors with the goal of gathering strategic intelligence. "The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems," Arctic Wolf Labs said

### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE). ### Patches This has been patched in 16.10.6 and 17.3.0-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22728 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)