#perl

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

### Impact OpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. ### Patches This issue has been fixed in OpenBao v2.3.0 and later. ### Workarounds Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients. ### Remediation Users with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching: Audit Log ``` ... "error":"error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" ... ``` Server Log ``` error converting input for field "password": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>' ``` If any matches are found, rotating the affected secre...

Cisco Talos uncovered and analyzed two critical vulnerabilities in ASUS' AsIO3.sys driver, highlighting serious security risks and the importance of robust driver design.

"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: CNCSoft Vulnerabilities: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Delta Electronics reports the following versions of CNCSoft, a human-machine interface, are affected: CNCSoft: v1.01.34 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process. CVE-2025-47724 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-4...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon Controllers M241: Versions prior to 5.3.12.51 Modicon Controllers M251: Versions prior to 5.3.12.51 Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117) Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) 3.2 VULNERABILITY OVERVIEW 3.2.1 ...

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

### Impact `rfc3161-client` 1.0.2 and earlier contain a flaw in their timestamp response signature verification logic. In particular, it performs chain verification against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce _any_ TSR signature so long as the embedded leaf chains up to some root TSA. ### Patches Users should immediately upgrade to `rfc3161-client` 1.0.3 or later. ### Workarounds There is no workaround possible. Users should immediately upgrade to a fixed version.

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.