Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Hackers Stole Millions of PornHub Users’ Data for Extortion

Plus: Cisco discloses a zero-day with no available patch, Venezuela accuses the US of a cyberattack, and more.

Wired
Open in Source
#vulnerability#web#cisco#git#intel#zero_day
GHSA-24v3-254g-jv85: Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

### Impact Users importing contacts from untrusted sources. Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does *not* seem to be possible so no JS can be executed (which would also be prevented by CSP). ## Technical details The data is included as part of the [mithril's hyperscript selector](https://mithril.js.org/hyperscript.html#css-selectors). It is possible to define a value like `][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh` which will be included in the selector passed to Mithril and will be interpreted as part of the code. ### Patches https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b ### Workarounds Do not open contact viewer on unpatched versions. If t...

GHSA-r2h2-g46h-8mx8: pretix has Broken Access Control Allowing Cross-User File Access via UUID

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

GHSA-pmjj-h5jm-vxh4: pretix has Broken Access Control Allowing Cross-User File Access via UUID

An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.

Dismantling Defenses: Trump 2.0 Cyber Year in Review

The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all.

CISA warns ASUS Live Update backdoor is still exploitable, seven years on

Seven years after the original attack, CISA has added the ASUS Live Update backdoor to its Known Exploited Vulnerabilities catalog.

Docker Fixes ‘Ask Gordon’ AI Flaw That Enabled Metadata-Based Attacks

Pillar Security has identified a critical indirect prompt injection vulnerability in Docker’s ‘Ask Gordon’ assistant. By poisoning metadata on Docker Hub, attackers could bypass security to exfiltrate private build logs and chat history. Discover how the "lethal trifecta" enabled this attack and why updating to Docker Desktop 4.50.0 is essential for developer security.

The Asset Layer of the Web: Tokenization Is Becoming Finance’s New Backend Infrastructure

Crypto’s public image lagged reality. Stablecoins, tokenization, and regulation now power a blockchain backend settling global finance at institutional scale.

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the