#git

## Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the `vega-interpreter`. ## Workarounds - Use `vega` with [expression interpreter](https://vega.github.io/vega/usage/interpreter/) - Upgrade to a [newer Vega version](https://github.com/vega/vega/releases/tag/v5.32.0) (`5.32.0`) ### POC Summary Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function. ### POC Details Consider the function call `replace('foo', {__proto__: /h/.constructor.prototype, global: false})`. Since `pattern` has `RegExp.prototype[@@replace]`, `pattern.exec('foo')` winds up being called. The resulting malicious call looks like this: ``` replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false}) ``` Since functions cannot be returned from this, an attacker that wishes to escalate to XSS mu...

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. ### Patches Patched in `vega` `5.31.0` / `vega-functions` `5.16.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ - Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. - Using the interpreter [described in CSP safe mode](https://vega.github.io/vega/usage/interpreter/) (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. ### References - Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984 Reproduction of the error in Vega by @mattijn ``` { "$schema": "https://vega.github.io/schema/vega/v5.json", "signals": [ { "name...

Cary, North Carolina, 27th March 2025, CyberNewsWire

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu

The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage.…

Tory Hunt, security expert and Have I Been Pwned owner, disclosed a phishing attack against him in a commendable display of transparency.

### Summary User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags. ### Details Attributes passed to the widget (such as `label_field`) containing `<`, `>`, and similar tokens are not fully escaped. This results in some raw values reaching the widget, and rendering in part or fully. For example, a label of: `"Test User <script>I can pass this to the label_field and it gets rendered</script>"` is rendered in the choices's label visually as `"Test User "` with the trailing space, and what appears as an un-executed script tag following it (which is visible when viewing source). The actual output rendered in the browser for this example is: `<div role="option" data-value="63f205b6" class="item" data-ts-item="">Test User <script>I can pass this to the label_field and it gets rendered</script></div>` The script tags appears to be valid in Chrome dev tool...