Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-rpjr-pcmr-9ppw: Alt Redirect: Potential Authentication Bypass by Spoofing through query-string stripping logic flaw

The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Case variations, encoded keys, and duplicates are not removed, allowing attackers to bypass sanitization. This may lead to cache poisoning, parameter pollution, or denial of service.

ghsa
Open in Source
#vulnerability#dos#auth
GHSA-xw6m-3m5q-mxpm: Liferay Portal's Membership page is vulnerable to XSS through “name“ text field

Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's “Name“ text field.

GHSA-m4g9-5mg6-gfr3: Liferay Portal Commerce is vulnerable to XSS through account "name" field

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

GHSA-xcvw-hh99-qm73: Liferay Portal is vulnerable to XSS through its workflow process builder

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.

Apple voices concerns over age-check law that could put user privacy at risk

The more sensitive data that companies have to collect and store, the greater the consequences for users if it’s breached.

Microsoft Adds Agentic AI Capabilities to Sentinel

Microsoft previewed the Sentinel security graph and MCP server at its annual Microsoft Secure virtual event earlier this month.

Your passwords don’t need so many fiddly characters, NIST says

It’s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it.

Deepfake Awareness High at Orgs, But Cyber Defenses Badly Lag

The vast majority of organizations are encountering AI-augmented threats, but remain confident in their defenses, despite inadequate detection investment and more than half falling to successful attacks.

Stealit Malware Using Node.js to Hide in Fake Game and VPN Installers

Fortinet warns of Stealit, a MaaS infostealer, now targeting Windows systems and evading detection by using Node.js’s SEA feature while hiding in fake game and VPN installers.

Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js' Single Executable Application (SEA) feature as a way to distribute its payloads. According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It's assessed that the malware is being propagated through