Latest News

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 134.0.3124.83 3/21/2025 134.0.6998.117/.118

**What is the version information for this release?** Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released Stable CVE-2024-8904, 129.0.6668.58/.59 9/19/2024

Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally.

Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center. The two critical-rated vulnerabilities in question are listed below -  CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an

Today, we are discussing Computer Vision applications, one of the most impactful AI-powered technologies that is reshaping our…

March Linux Patch Wednesday. Total vulnerabilities: 1083. 😱 879 in the Linux Kernel. 🤦‍♂️ Two vulnerabilities show signs of exploitation in the wild: 🔻 Code Injection – GLPI (CVE-2022-35914). An old vulnerability from CISA KEV, but first patched on March 3 in RedOS Linux.🔻 Memory Corruption – Safari (CVE-2025-24201). Fixed in WebKitGTK packages in Linux […]

### Impact The issue only occurs when the `CLIENT SETINFO` command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the `DisableIndentity` flag. 2. There are network connectivity issues 3. The client was configured with aggressive timeouts The impact differs by use case: * **Sticky connections**: Rather than using a connection from the pool on-demand, the caller can stick with a connection. Then you receive persistent out-of-order responses for the lifetime of the connection. * **Pipelines**: All commands in the pipeline receive incorrect responses. * **Default connection pool usage without pipelining**: When used with the default [ConnPool](https://github.com/redis/go-redis/blob/8fadbef84a3f4e7573f8b38e5023fd469470a8a4/internal/pool/pool.go#L77) once a connection is returned after use with [ConnPool#Put](https://github.com/redis/go-redis/blob/8fadbef84a3f4...

### Impact The `APIExport` Virtual Workspace can be used to manage objects in workspaces that bind that `APIExport` for resources defined in the `APIExport` or specified and accepted via permission claims. This allows an API provider (via their `APIExport`) scoped down access to workspaces of API consumers to provide their services properly. The identified vulnerability allows creating or deleting an object via the `APIExport` VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By design, this should only be allowed when the workspace owner decides to give access to an API provider by creating an APIBinding. With this vulnerability, it is possible for an attacker to create and delete objects even if none of these requirements are satisfied, i.e. even if there is no APIBinding in that workspace at all or the workspace owner has created an APIBinding, but rejected a permission claim. ### Patches A fix for this issue has been identified and has been publish...

### Summary URLs starting with `//` are not parsed properly, and the request `REQUEST_FILENAME` variable contains a wrong value, leading to potential rules bypass. ### Details If a request is made on an URI starting with `//`, coraza will set a wrong value in `REQUEST_FILENAME`. For example, if the URI `//bar/uploads/foo.php?a=b` is passed to coraza: , `REQUEST_FILENAME` will be set to `/uploads/foo.php`. The root cause is the usage of `url.Parse` to parse the URI in [ProcessURI](https://github.com/corazawaf/coraza/blob/8b612f4e6e18c606e371110227bc7669dc714cab/internal/corazawaf/transaction.go#L768). `url.Parse` can parse both absolute URLs (starting with a scheme) or relative ones (just the path). `//bar/uploads/foo.php` is a valid absolute URI (the scheme is empty), `url.Parse` will consider `bar` as the host and the path will be set to `/uploads/foo.php`. ### PoC ```go package main import ( "fmt" "net/url" "os" "github.com/corazawaf/coraza/v3" ) const testRule = ` Sec...

The data exposure vulnerability in Liferay Portal 7.4.0 through 7.4.3.126, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 allows an unauthorized user to obtain entry data from forms.