#web

Plus: Cisco discloses a zero-day with no available patch, Venezuela accuses the US of a cyberattack, and more.

### Impact Users importing contacts from untrusted sources. Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does *not* seem to be possible so no JS can be executed (which would also be prevented by CSP). ## Technical details The data is included as part of the [mithril's hyperscript selector](https://mithril.js.org/hyperscript.html#css-selectors). It is possible to define a value like `][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh` which will be included in the selector passed to Mithril and will be interpreted as part of the code. ### Patches https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b ### Workarounds Do not open contact viewer on unpatched versions. If t...

The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all.

Torrance, United States / California, 19th December 2025, CyberNewsWire

Seven years after the original attack, CISA has added the ASUS Live Update backdoor to its Known Exploited Vulnerabilities catalog.

Pillar Security has identified a critical indirect prompt injection vulnerability in Docker’s ‘Ask Gordon’ assistant. By poisoning metadata on Docker Hub, attackers could bypass security to exfiltrate private build logs and chat history. Discover how the "lethal trifecta" enabled this attack and why updating to Docker Desktop 4.50.0 is essential for developer security.

Crypto’s public image lagged reality. Stablecoins, tokenization, and regulation now power a blockchain backend settling global finance at institutional scale.

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

IT automation is no longer optional for executives; it is a critical strategy. Organizations have moved beyond simple scripting to focus on speed and impact, using automation to power growth and reduce risk.But a critical gap remains: visibility. How do you, as a business leader, prove the return on investment (ROI) and confidently decide where to invest your next dollar?Red Hat Ansible Automation Platform's automation dashboard and analytics feature is more than an IT report; it's the financial and operational intelligence layer executives need to realize the full value of enterprise automati