Latest News

April Linux Patch Wednesday. Total vulnerabilities: 251. 👌 164 in the Linux Kernel. No vulnerabilities show signs of being exploited in the wild. There are 7 vulnerabilities that appear to have publicly available exploits. For 2 vulnerabilities, exploit code with detailed explanation is available on GitHub. Both were first patched in RedOS packages: 🔸 SQL […]

A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

US and Greek arrests expose 764 network’s global child abuse ring. Leaders face life for orchestrating violent exploitation…

A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code.

The `get_id3()` methods used by `mp3_metadata::read_from_slice()` does not perform adequate bounds checking when recreating the tag due to the use of desynchronization. Fixed in [Fix index error](https://github.com/GuillaumeGomez/mp3-metadata/pull/37), released as part of 0.4.0.

### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). #...

# Description A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.…

### Impact The Markdown syntax is vulnerable to XSS through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, on an instance where the CommonMark Markdown Syntax 1.2 extension is installed, log in as a user without script rights. Edit a document and set its syntax to Markdown. Then , add the content `<script>alert("XSS")</script>` and refresh the page. If an alert appears containing "XSS", then the instance is vulnerable. ### Patches This has been patched in version 8.9 of the CommonMark Markdown Syntax 1.2 extension. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira....