Latest News

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack. This affects the built: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` This will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js` **Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.** ### Patches - `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00 - backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

### Summary curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0 ### Details HIGH severity vulnerability in curl and libcurl: [announcement](https://github.com/curl/curl/discussions/12026#discussioncomment-7195548) Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "_probably the worst curl security flaw in a long time_". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0 ### PoC [https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h](https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014...

### Impact During an explicit sign-out, the server session is not fully terminated.

### Impact There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. ### Workarounds Server-side file validation is available to strip script tags from file's content during the file upload process.

Lumma Stealer malware uses fake CAPTCHA to deceive victims. This information-stealing malware targets sensitive data like passwords and…

### Impact The Backoffice displays the logout page with a session timeout message before the server session has fully expired, causing users to believe they have been logged out approximately 30 seconds before they actually are.

### Impact An improper access control issue has been identified, allowing low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section

### Impact This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. ### Patches Will be patched in 14.3.1 and 15.0.0. ### Workarounds Ensure that access to the Dictionary section is only granted to trusted users.

The 115,000-plus files related to UN Women included detailed financial disclosures from organizations around the world—and personal details and testimonials from vulnerable individuals.

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT. "The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the