Latest News

It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid XSS attack. Fixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).

Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users.

RansomHub ransomware group leaks alleged 487 GB of sensitive data stolen from Kawasaki Motors Europe (KME), following a…

`RUSTSEC-2024-0377` contains multiple soundness issues: 1. [Bytes::read() allows creating instances of types with invalid bit patterns](https://github.com/Alexhuszagh/rust-lexical/issues/102) 1. [BytesIter::read() advances iterators out of bounds](https://github.com/Alexhuszagh/rust-lexical/issues/101) 1. [The `BytesIter` trait has safety invariants but is public and not marked `unsafe`](https://github.com/Alexhuszagh/rust-lexical/issues/104) 1. [`write_float()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/95) 1. [`radix()` calls `MaybeUninit::assume_init()` on uninitialized data, which is is not allowed by the Rust abstract machine](https://github.com/Alexhuszagh/rust-lexical/issues/126) Version 1.0 fixes these issues, removes the vast majority of `unsafe` code, and also fixes some correctness issues.

### Impact The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. ### Patches N/A ### Workarounds Review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard ### References OWASP ASVS v4.0.3-5.1.3

### Impact The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. ### Patches N/A ### Workarounds Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`) ### References OWASP ASVS v4.0.3-5.1.3

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Apple is launching its first stand-alone password manager app in iOS 18. Here’s what you need to know.

Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.

Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.