Latest News

The shift to cloud means securing your organization's digital assets requires a proactive, multilayered approach.

The group seeks out aerospace professionals by impersonating job recruiters — a demographic it has targeted in the past as well — then deploys the SlugResin backdoor malware.

The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models.

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

### Impact Deserialization of untrusted data from the `mimes` parameter could lead to remote code execution. ### Patches Fixed in 3.0.9 ### Workarounds Not needed, a `composer update` will solve it in a non-breaking way. ### References Reported responsibly Vladislav Gladkiy at [Positive Technologies](https://www.ptsecurity.com/ww-en/).

### Summary A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG file containing an embedded script. When the profile image is accessed, the embedded script executes, leading to the potential theft of session cookies. ### Details 1. Login as admin 2. Go to Create User 3. Fill up everything in the registration form then upload SVG image as a profile picture 4. In SVG image, add script tag to prepare for XSS attack 5. Complete the Create User process 6. Right click at the image to obtain image URL address 7. XSS triggered ### PoC The below link is a private YouTube video for PoC. https://youtu.be/5j8owD0--1A ### Impact The stored XSS can lead to session hijacking and privilege escalation, effectively bypassing any CSRF protections in place.

### Description Whan consuming a persisted remember-me cookie, symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

### Impact The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. ### Patches Not available ### Workarounds Disable the creation of meetings by participants in the meeting component. ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by mitgestalten Partizipationsbüro against Decidim. The security audit was implemented by the Austrian Institute of Technology.

Siemens Energy Omnivise T3000 version 8.2 SP3 suffers from local privilege escalation, cleartext storage of passwords in configuration and log files, file system access allowing for arbitrary file download, and IP whitelist bypass.

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's