Latest News
**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**
### Description There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the `FileResourceLocation` has been added. The vulnerability allows an attacker to read arbitrary files from the filesystem accessible by the web application (i.e. appsettings.json or other files containing secrets). ### Patches The bug is patched in versions **4.2.10**, **4.3.8** and **5.0.0-preview03-final** (and newer). Apart from updating DotVVM, it is also recommend invalidating any secrets which could have been leaked by an application deployed in Debug mode (such as database passwords). ### Workarounds If you cannot update to a patched version, avoid running a publicly accessible DotVVM application in Debug mode (Development environment in Asp.Net Core). It is recommend adding the following statement to the DotvvmStartup class: ``` config.Debug = false; // TODO: workaround for GHSA-6q65-j4jw-9cg8, remove after updating DotVVM ```
### Impact _What kind of vulnerability is it? Who is impacted?_ In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. #### Am I impacted? You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files. ### Patches com.powsybl:powsybl-commons:6.7.2 and higher ### References [powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)
Instead of constantly fixing security vulnerabilities, organizations should proactively build secure foundations that enable businesses to move faster while reducing risk.
Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.
Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.
In a new wrinkle on the tech support scam front, these search parameter injection attacks dupe victims into believing they are receiving technical help when they are actually speaking to fraudsters.
An unnamed customer of Paragon's Graphite product used the commercial spyware to target at least two prominent European journalists in recent months.
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
North Korean hackers deploy PylangGhost malware through fake crypto job interviews targeting blockchain professionals with phishing and remote access tools.