The ABB BMS/BAS controller suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.

ABB Cylon Aspect 3.08.01 (throttledLog.php) Unauthenticated Log Disclosure

If exploited, bad actors can execute arbitrary code while evading detection thanks to a renamed process.

Source: B Christopher via Alamy Stock Photo

A zero-day vulnerability, tracked as CVE-2024-44068, has been discovered in Samsung's mobile processors and is being used in an exploit chain for arbitrary code execution.

The vulnerability was given a critical CVSS score of 8.1 out of 10 and was patched in Samsung's October set of security fixes.

A National Institute of Standards and Technology (NIST) advisory on the bug describes it as "an issue \[that\] was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850, and W920." A use-after-free bug in the mobile processor ultimately leads to privilege escalation, the agency added.

Google researcher Xingyu Jin was credited with reporting the flaw earlier this year, and Google TAG researcher Clement Lecigne warned that an exploit exists in the wild.

"This zero-day exploit is part of an EoP chain," Jin and Lecigne noted. "The actor is able to execute arbitrary code in a privileged camera server process. The exploit also renamed the process name itself to '\[email protected\]', probably for anti-forensic purposes."

**About the Author**

Samsung Zero-Day Vuln Under Active Exploit, Google Warns

PRESS RELEASE

CHARLOTTE, N.C. and SUNNYVALE, Calif., Oct. 21, 2024 /PRNewswire/ -- Honeywell (NASDAQ: HON) and Google Cloud announced a unique collaboration connecting artificial intelligence (AI) agents with assets, people and processes to accelerate safer, autonomous operations for the industrial sector.

This partnership will bring together the multimodality and natural language capabilities of Gemini on Vertex AI – Google Cloud's AI platform – and the massive data set on Honeywell Forge, a leading Internet of Things (IoT) platform for industrials. This will unleash easy-to-understand, enterprise-wide insights across a multitude of use cases. Honeywell's customers across the industrial sector will benefit from opportunities to reduce maintenance costs, increase operational productivity and upskill employees. The first solutions built with Google Cloud AI will be available to Honeywell's customers in 2025.

"The path to autonomy requires assets working harder, people working smarter and processes working more efficiently," said Vimal Kapur, Chairman and CEO of Honeywell. "By combining Google Cloud's AI technology with our deep domain expertise--including valuable data on our Honeywell Forge platform--customers will receive unparalleled, actionable insights bridging the physical and digital worlds to accelerate autonomous operations, a key driver of Honeywell's growth."

"Our partnership with Honeywell represents a significant step forward in bringing the transformative power of AI to industrial operations," said Thomas Kurian, CEO of Google Cloud. "With Gemini on Vertex AI, combined with Honeywell's industrial data and expertise, we're creating new opportunities to optimize processes, empower workforces and drive meaningful business outcomes for industrial organizations worldwide."

With the mass retirement of workers from the baby boomer generation, the industrial sector faces both labor and skills shortages, and AI can be part of the solution – as a revenue generator, not job eliminator. More than two-thirds (82%) of Industrial AI leaders believe their companies are early adopters of AI, but only 17% have fully launched their initial AI plans, according to Honeywell's 2024 Industrial AI Insights report. This partnership will provide AI agents that augment the existing operations and workforce to help drive AI adoption and enable companies across the sector to benefit from expanding automation.

Honeywell and Google Cloud will co-innovate solutions around:

Purpose-Built, Industrial AI Agents   
Built on Google Cloud's Vertex AI Search and tailored to engineers' specific needs, a new AI-powered agent will help automate tasks and reduce project design cycles, enabling users to focus on driving innovation and delivering exceptional customer experiences.

Additional agents will utilize Google's large language models (LLMs) to help technicians to more quickly resolve maintenance issues (e.g., "How did a unit perform last night?" "How do I replace the input/output module?" or "Why is my system making this sound?"). By leveraging Gemini's multimodality capabilities, users will be able to process various data types such as images, videos, text and sensor readings, which will help its engineers get the answers they need quickly – going beyond simple chat and predictions.

Enhanced Cybersecurity  
Google Threat Intelligence – featuring frontline insight from Mandiant – will be integrated into current Honeywell cybersecurity products, including Global Analysis, Research and Defense (GARD) Threat Intelligence and Secure Media Exchange (SMX), to help enhance threat detection and protect global infrastructure for industrial customers. 

On-the-Edge Device Advances   
Looking ahead, Honeywell will explore using Google's Gemini Nano model to enhance Honeywell edge AI devices' intelligence multiple use cases across verticals, ranging from scanning performance to voice-based guided workflow, maintenance, operational and alarm assist without the need to connect to the internet and cloud. This is the beginning of a new wave of more intelligent devices and solutions, which will be the subject of future Honeywell announcements.

By leveraging AI to enable growth and productivity, the integration of Google Cloud technology also further supports Honeywell's alignment of its portfolio to three compelling megatrends, including automation.

About Honeywell  
Honeywell is an integrated operating company serving a broad range of industries and geographies around the world. Our business is aligned with three powerful megatrends – automation, the future of aviation and energy transition – underpinned by our Honeywell Accelerator operating system and Honeywell Forge IoT platform. As a trusted partner, we help organizations solve the world's toughest, most complex challenges, providing actionable solutions and innovations through our Aerospace Technologies, Industrial Automation, Building Automation and Energy and Sustainability Solutions business segments that help make the world smarter and safer as well as more secure and sustainable. For more news and information on Honeywell, please visit www.honeywell.com/newsroom.

About Google Cloud  
Google Cloud is the new way to the cloud, providing AI, infrastructure, developer, data, security, and collaboration tools built for today and tomorrow. Google Cloud offers a powerful, fully integrated, and optimized AI stack with its own planet-scale infrastructure, custom-built chips, generative AI models, and development platform, as well as AI-powered applications, to help organizations transform. Customers in more than 200 countries and territories turn to Google Cloud as their trusted technology partner.

Honeywell and Google Cloud to Accelerate Auto Operations With AI Agents for the Industrial Sector

The vulnerability affects all versions prior to v0.68.0 and highlights the risks organizations assume when consuming open source software and code.

Source: adison pangchai via Shutterstock

Organizations using Open Policy Agent (OPA) for Windows should consider updating to v0.68.0 or later to protect against an authentication hash leakage vulnerability identified in all earlier versions of the open source policy enforcement engine.

The vulnerability designated the identifier CVE-2024-8260, stems from improper input validation, and allows attackers to trick OPA into accessing a malicious Server Message Block (SMB) share. This can result in credential leakage and the potential exposure of sensitive system information.

**Enabling Credential Leaks**

"Successful exploitation can lead to unauthorised access by leaking the Net-NTLMv2 hash — or in lay terms, the credentials — of the user currently logged into the Windows device running the OPA application," said researchers at Tenable, who discovered the bug and issued a report this week. "Post-exploitation, the attacker could relay authentication to other systems that support NTLMv2 or perform offline cracking to extract the password."

Many organizations use OPA for Windows to implement and enforce authorization and resource access policies across their software stack, including cloud native applications, microservices, and APIs. The technology gives organizations a way to ensure consistent policy automation and compliance across mixed Linux and Windows environments.

The vulnerability that Tenable discovered essentially allows attackers to force a vulnerable system to authenticate to an attacker's server and thereby share user credentials in the process. The problem had to do with older versions of OPA for Windows not properly verifying the kind of files it received. Ordinarily, OPA should only use what are known as Rego files for rules and policies around decision making. What Tenable discovered was that because of improper validation, an attacker could pass an arbitrary SMB share instead of a Rego file to the OPA Command Line Interface or one of its Go library functions. An attacker could inject a path to their own server in the SMB share and force the system running the vulnerable OPA instance to authenticate to it.

"This can result in credential leaks or the execution of malicious logic, posing serious risks to system integrity and security," Tenable said. An adversary that obtains a NTLM hash by exploiting CVE-2024-8260 could use the hash in a variety of ways, including authenticating to other systems and services, moving laterally, connecting to file shares, and attempting to extract the password.

NTLM (New Technology LAN Manager) is a suite of authentication protocols from Microsoft that many organizations use to enable single sign-on to enterprise applications and services. Attackers have often exploited NTLM in so-called pass-the-hash attacks and NTLM relay attacks, where they essentially reuse a captured hash to authenticate to different applications and services without actually knowing the password.

**A Reminder of Open Source Risks**

Tenable described the vulnerability it discovered as highlighting the risks organizations assume when consuming open source software and code. In research that Black Duck described in its "2024 Open Source Security and Risk Analysis Report," the vendor found some 96% of code bases it reviewed to contain open source components. On average, 77% of all code in these codebases originated from open source. Some 84% codebases that underwent a risk assessment contained one or more security vulnerabilities and 74% had high-risk vulnerabilities like Log4Shel and XZ Utils in them. A surprising 14% of the code bases that Black Duck assessed had unpatched open source vulnerabilities in them that were 10 or more years old.

"As open-source projects become integrated into widespread solutions, it is crucial to ensure they are secure and do not expose vendors and their customers to an increased attack surface," said Ari Eitan, director of Tenable Cloud Security Research, in a statement. "This vulnerability discovery underscores the need for collaboration between security and engineering teams to mitigate such risks."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

OPA for Windows Vulnerability Exposes NTLM Hashes

PRESS RELEASE

Kuala Lumpur, Malaysia – 22 Oct. 2024 –  SoftwareOne Holding AG, a leading global software and cloud solutions provider, has launched a SoftwareOne Cloud Competency Centre in collaboration with Amazon Web Services (AWS) in Kuala Lumpur, Malaysia. 

Serving businesses across Southeast Asia, this new centre will provide clients with local expertise and support in AWS cloud services, including generative artificial intelligence (AI) tools Amazon Bedrock, a fully managed service that provides a single API to access and utilise high-performing foundation model from leading AI companies, and Amazon Q, a generative AI-powered assistant for business and developers, to drive digital transformation. By establishing the SoftwareOne Cloud Competency Centre in Malaysia, SoftwareOne further expands its global delivery network across fast-growing technology markets to help local businesses innovate with the latest technology advancements. The SoftwareOne Cloud Competency Centre opening follows AWS’s own recent announcement of cloud infrastructure expansion in Malaysia.  

"As an AWS Premier Tier Services Partner, we are thrilled to continue our collaboration with AWS through the opening of our new SoftwareOne Cloud Competency Centre in Malaysia,” said David Tan, Regional Services Leader, APAC at SoftwareOne. "This is strategically aligned with AWS's commitment to Asia and will make SoftwareOne’s global expertise and resources readily accessible to local clients. Businesses of all types will be able to accelerate their digital journeys more efficiently, benefiting from on-the-ground support in cloud migration, application modernisation, end-user computing, and FinOps.” 

“AWS is committed to enabling global organisations across industries with the world’s most comprehensive and broadly adopted cloud, and AI technologies to innovate, scale, and achieve their business and digital transformation objectives with efficiency and resilience. The recent launch of our AWS Region in Malaysia deepens that resolve,” said Peter Murray, Country Manager, AWS Malaysia. “As a Premier Tier AWS Partner, SoftwareOne is well-positioned to help businesses adopt and optimise their AWS use. Establishing the SoftwareOne Cloud Competency Centre in Malaysia aligns our goals of expanding cloud accessibility and compliance capabilities locally for customers.” 

The SoftwareOne Cloud Competency Centre experts will guide clients in implementing the SoftwareOne Landing Zone for AWS, a comprehensive pre-configured and automated framework that provides a foundation for building a secure, multi-account AWS environment. Featuring cloud infrastructure, policies, and guardrails, including centrally managed services, it is designed to help organisations quickly set up a secure and scalable environment with a consistent set of AWS best practices.  

Leveraging industry-leading infrastructure as code tool Terraform, SoftwareOne’s Landing Zone for AWS gets clients up and running from a zero footprint to AWS workload deployment within days. It also helps clients improve the operational efficiency of their AWS environments with SoftwareOne’s ongoing management and expertise in implementing patching and updates. 

“Our cloud journey involves migrating and modernising complicated and legacy workloads with stringent timelines, and we need a partner who is agile, understands such complex environments and can work closely with our internal team,” said Daniel Anand, Head of Technology Infrastructure and Architecture, Sun Life Malaysia. “SoftwareOne is helping us implement best-in-class solutions tailored to our needs, ensuring a seamless transition to the cloud while maintaining compliance with us in building the detailed business case for board approval and aligning with Sun Life global cloud framework and compliance.” 

“The launch of the regional SoftwareOne Cloud Competency Centre demonstrates SoftwareOne’s continued dedication to empowering digital transformation globally,” said Sean Pope, Global Leader, SoftwareOne Centre of Excellence for AWS. “This Centre will be a cornerstone in our global portfolio development, enhancing our ability to deliver cutting-edge solutions and support to businesses in SEA. The innovations and best practices we establish here will also be pillars upon which to build, benefitting other regions by enhancing our global AWS service offerings.” 

For more information about the SoftwareOne Cloud Competency Centre in SEA and its support of digital transformation initiatives, please visit www.softwareone.com. 

About SoftwareOne  

SoftwareOne is a leading global software and cloud solutions provider that is redefining how organizations build, buy and manage everything in the cloud. By helping clients to migrate and modernize their workloads and applications – and in parallel, to navigate and optimize the resulting software and cloud changes – SoftwareOne unlocks the value of technology. The company’s ~9,300 employees are driven to deliver a portfolio of 7,500 software brands with sales and delivery capabilities in over 60 countries. Headquartered in Switzerland, SoftwareOne is listed on the SIX Swiss Exchange under the ticker symbol SWON. Visit us at www.softwareone.com.

SoftwareOne Launches Cloud Competency Centre in Malaysia

PRESS RELEASE

VIENNA, VA (October 22, 2024) – The Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) announced the launch of LinkSECURE, a new program to help mature the cybersecurity capabilities of vendors and address the growing concern of supply chain cybersecurity vulnerabilities.  

The program aims to reduce third-party risk for RH-ISAC member companies by strengthening the cybersecurity of their suppliers. This initiative demonstrates RH-ISAC's commitment to improving cybersecurity across the entire retail and hospitality ecosystem.  

LinkSECURE program participants will work closely with dedicated support managers to implement critical security controls. In addition, the organization will hold virtual meetings, educational sessions on the essentials of cybersecurity, and topical briefings on major sector incidents one-on-one and in group settings. 

A few key points showcasing the significance of the new program include:  

*   Offers a guided path to implementing a prioritized set of safeguards to mitigate the most prevalent cyberattacks  
    

*   Guides these businesses to maturity in their cybersecurity programs 
    

*   Provides users with access to a vast array of RH-ISAC resources relevant to their sectors including threat intelligence, research/reporting, the work of member groups, and resources from partner organizations
    

“The LinkSECURE program is setting a new standard to help our industry become better prepared to combat ever-growing cybersecurity threats,” said Luke Vander Linden, RH-ISAC's Vice President of Membership and Marketing.  

The program will primarily be offered to RH-ISAC's Core Members’ vendors. Should other small to mid-sized retailers be interested, RH-ISAC will consider their participation too. 

For more information on RH-ISAC and the LinkSECURE offering, please visit rhisac.org/linkSECURE.  

ABOUT RH-ISAC 

The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org. 

You May Also Like

Retail &amp; Hospitality ISAC Launches Program Aimed at Securing Supply Chains

Cybersecurity is not "one size fits all." Employers, recruiters, and managers need to embrace neurodiversity through inclusive hiring practices, tailored training programs, and adaptive management styles.

Source: Tomertu via Adobe Stock Photo

Megan Roddie-Fonseca, a senior security engineer at Datadog, recalls a pivotal moment during her job interview that swayed her decision to join the company.

"During the interview process, the manager asked me, 'How can I manage you? What's your ideal way of working?'" Roddie-Fonseca says. "'What can I do in order to make you the employee that you need to be and that you want to be?'"

For Roddie-Fonseca, a neurodivergent individual, this willingness to adapt management styles based on individual needs was a key factor in her decision to accept Datadog's offer.

"That's a big thing for me, instead of a manager saying, 'This is my management style,'" she says, noting that a tailored management approach can create an environment where neurodiverse workers feel understood and supported.

Roddie-Fonseca was diagnosed with autism when she was 12 years old and with ADHD later in life. While she has personally had overall positive experiences in the cybersecurity industry, she's also aware — by networking with other neurodivergent individuals — of the challenges that many face in their careers.

Neurodiversity includes individuals with conditions such as autism, ADHD, and dyslexia. While neurodivergent individuals can bring a wealth of unique skills to the workplace, they often face unnecessary challenges in the hiring process, training, and overall workplace environment.

**Align the Interview With the Job**

One issue is the current structure of the hiring process in many organizations. Rigid interviews, vague expectations, and unaccommodating environments can create barriers for neurodivergent candidates. Roddie-Fonseca says that typical interview setups, where candidates sit in front of a hiring manager or panel to answer rapid-fire questions, are not designed for those who may struggle with social anxiety or sensory-processing issues.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," she says. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

Performance-based interviews, where candidates demonstrate their skills in a simulated work environment, are a better alternative. Dr. Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM, says it is essential to allow candidates to show their abilities under conditions they’re comfortable with.

“Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team,” she says.

Rather than focusing on quick thinking under pressure, performance-based assessments allow candidates to demonstrate their problem-solving talents without the added stress of rigid, high-pressure conditions.

**Supporting Neurodivergent Employees on the Job**

Hiring neurodivergent candidates is just the first step; ensuring they are supported once on the job is equally important. Neurodivergent professionals often thrive in environments where accommodations are made to help them succeed, from flexible working conditions to individualized communication styles.

Universal design principles — where workplace accommodations are made available to everyone, regardless of whether they disclose a neurodivergent condition — can make a big difference, says Liz Green, an occupational therapist and business consultant who specializes in neurodiversity and inclusive design and often works with cybersecurity.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," she says.

Creating employee manuals, where workers outline their preferred communication and work styles, is a simple and inclusive solution that can benefit all employees, neurodivergent or not, Green adds.

Once neurodivergent employees are onboarded, providing appropriate training is essential. The traditional approach to training, where all new hires undergo the same program without considering individual learning needs, can leave neurodivergent employees struggling. Asbell-Clarke points out that giving neurodivergent employees space for "autonomy of thought" during training can be beneficial. For example, instead of bombarding new hires with information in a classroom setting, consider self-paced training modules that allow individuals to learn at their own speed.

Meghan Maneval, senior director of product marketing at LogicGate and also a neurodivergent individual, says clear communication — in multiple formats — during both interviewing and training is essential for her.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," she says.

Employers can also create mentorship opportunities, pairing neurodivergent hires with more experienced employees who understand their challenges. These mentors can offer guidance and help them navigate the nuances of company culture and expectations.

**Creating a Culture of Inclusion**

Building an inclusive culture goes beyond just offering accommodations. It requires a shift in mindset across the organization.

"It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," says Roddie-Fonseca.

Green emphasizes the need for open dialogue and the willingness to learn.

"Opening up the conversation is the first step. Silence doesn't help,” she says. By engaging in conversations about neurodiversity, employers can begin to dismantle the biases that prevent neurodivergent individuals from succeeding.

Another key component is establishing employee resource groups (ERGs) for neurodivergent individuals, says Green. These groups can provide a platform for employees to voice their needs and advocate for changes that improve the workplace for everyone.

“The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

An opportunity exists to rethink traditional hiring practices and embrace a more inclusive approach in cybersecurity hiring. As Datadog's Roddie-Fonseca points out, neurodivergent individuals often possess unique problem-solving abilities and strong attention to detail — skills that are highly valuable in technical fields. Yet the current hiring landscape remains inaccessible for many. By adopting flexible, inclusive hiring and training practices, cybersecurity employers can not only tap into the neurodiverse talent pool but also create a more dynamic and innovative workforce.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Breaking Barriers: Making Cybersecurity Accessible for Neurodiverse Professionals

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Source: Saphiens via Alamy Stock Photo

Nearly 75% of US Senate campaign websites are lacking when it comes to DMARC protections, otherwise known as Domain-based Message Authentication, Reporting, and Conformance safeguards.

DMARC tools are used to prevent phishing and spoofing attacks by ensuring that the domains from which emails are sent get authenticated.

Without these protections, campaign websites are left vulnerable to cyberattacks, a critical issue given that these campaigns are emailing voters, donors, and staff frequently.

This could lead to compromised voter information, donor data, strategic campaign plans, and other sensitive data, furthering a lack of public trust in US elections, an issue that has become increasingly prominent in the past few years. In 2016, Russian state actors tried to influence the presidential election by disrupting the election process and hacking emails. 

According to the study, conducted by Red Sift, campaigns will remain highly susceptible to phishing, domain spoofing, and impersonation attacks without DMARC, ultimately leading to slower campaign operations, leaks in confidential information, and worse.

The report calls for immediate prioritization of DMARC implementation across US Senate and presidential campaigns, and insuring that these implementations are properly configured.

**About the Author**

Most US Political Campaigns Lack DMARC Email Protection

The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased. This vulnerability was fixed as part of the June Microsoft Patch Tuesday. As in the case of the CVE-2024-30090 vulnerability, it was discovered by a researcher with the nickname Angelboy from DEVCORE. And it also affects the Kernel Streaming framework, […]

**The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased.** This vulnerability was fixed as part of the June Microsoft Patch Tuesday. As in the case of the CVE-2024-30090 vulnerability, it was discovered by a researcher with the nickname Angelboy from DEVCORE. And it also affects the Kernel Streaming framework, and specifically its core component – the ks.sys driver. Angelboy wrote about this vulnerability in a post on August 23.

On October 13, a PoC of the exploit, released by user varwara, appeared on GitHub. The repository also contains a video demonstrating the launch of the exploit and obtaining System privileges.

Updates are available for Windows 10 and 11, and Windows Server from 2008 to 2022.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

- `dist/mermaid.min.js`
- `dist/mermaid.js`
- `dist/mermaid.esm.mjs`
- `dist/mermaid.esm.min.mjs`

This will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`

**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**

### Patches

- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

*   dist/mermaid.min.js
*   dist/mermaid.js
*   dist/mermaid.esm.mjs
*   dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

**Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.**

**Patches**

*   develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
*   backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

**References**

*   GHSA-mmhx-hmjr-r674
*   GHSA-m4gq-x24j-jpmf
*   mermaid-js/mermaid@6c785c9
*   mermaid-js/mermaid@92a07ff

Latest News