#web

### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetitive calls of CRI Attach (e.g., [`kubectl attach`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_attach/)) could increase the memory usage of containerd. ### Patches This bug has been fixed in the following containerd versions: * 2.2.0 * 2.1.5 * 2.0.7 * 1.7.29 Users should update to these versions to resolve the issue. ### Workarounds Set up an admission controller to control accesses to `pods/attach` resources. e.g., [Validating Admission Policy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/). ### Credits The containerd project would like to thank @Wheat2018 for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md). ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025...

Account takeover (ATO) attacks can devastate individuals and organisations, from personal profiles to enterprise systems. The financial impact…

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

Seven vulnerabilities in ChatGPT (including GPT-5) allow attackers to use '0-click' and 'memory injection' to bypass safety features and persistently steal private user data and chat history. Tenable Research exposes the flaws.

### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. **Who is impacted:** - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers **Attack vectors include:** - `href` attributes with `javascript:` protocol: `<a href="javascript:alert(document.cookie)">` - Event handlers: `<div onclick="maliciousCode()">` - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` - Other HTML attributes that can execute JavaScript ### Patches A fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML attribute...

A misconfiguration in the sudoers file permits passwordless execution of specific Bash shell scripts via sudo, exposing a critical privilege escalation vulnerability. When such scripts are writable by a web-facing user (www-data) or accessible through a command injection vector, an attacker can overwrite or replace them with malicious payloads. Upon execution with sudo, these scripts run with elevated privileges, allowing the attacker to gain full root access remotely.

The application stores user passwords in the database using the MD5 hashing algorithm, which is considered cryptographically insecure due to its vulnerability to collision and brute-force attacks. MD5 lacks modern protections such as salting and computational hardness, making it trivial for attackers to crack password hashes using precomputed rainbow tables or GPU-accelerated dictionary attacks.

Doctor Web uncovers a targeted cyberattack on a Russian government body by the Cavalry Werewolf group using a new ShellNET backdoor and Telegram-based control.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: FBXi, FBVi, FBTi, CBXi Vulnerabilities: Use of Hard-coded Credentials, Improper Validation of Specified Type of Input, Use of a One-Way Hash without a Salt 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to take remote control of the product, insert and run arbitrary code, and crash the device being accessed. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ABB FLXeon products are affected: FBXi-8R8-X96 (2CQG201028R1011): Versions 9.3.5 and prior FBXi-8R8-H-X96 (2CQG201029R1011): Versions 9.3.5 and prior FBXi-X256 (2CQG201014R1021): Versions 9.3.5 and prior FBXi-X48 (2CQG201018R1021): Versions 9.3.5 and prior FBXi-8R8-X96-S (2CQG201606R1011): Versions 9.3.5 and prior FBVi-2U4-4T (2CQG201015R1021 ): Versions 9.3.5 and prior FBVi-2U4-4T-IMP (2CQG201016R1021): Versions 9.3.5 and prior FBVi-2U4-4T-SI: Versions 9.3.5 and ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Advantech Equipment: DeviceOn/iEdge Vulnerabilities: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in a denial-of-service condition, remote code execution, or an attacker reading arbitrary files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of DeviceOn/iEdge, an IoT management platform, is affected: DeviceOn/iEdge: Version 2.0.2 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. CVE-2025-64302 has been assigned to this vuln...