Latest News

### Impact When using the recommended "best-effort" mode, Go-Landlock did not restrict the TCP bind() and connect() operations any more when they were requested. This affects Go-Landlock users to whom both of the following conditions apply: * They use Landlock rulesets that are supposed to restrict networking (through `landlock.V4`, `landlock.V5`, or self-configured). * These Landlock rulesets are used in best-effort mode. Typically, affected code uses the Go-Landlock API like this (the crucial part being the combination of `V4`/`V5` and `.BestEffort()`): ``` err := landlock.V5.BestEffort().Restrict(...) ``` * This is a bug in the Go-Landlock library and does not affect programs that use Landlock via C or other language bindings. * The bug only affects networking restrictions. File system restrictions continue to work as expected. ### Patches Patched in: https://github.com/landlock-lsm/go-landlock/commit/fb3ad845df462d013f9c8a965c496617c6a5778b Users should upgrade to: v0.0.0-202...

Organizations are grappling with the risks of having outdated hardware handling core workloads, mission-critical applications no one knows how to update or maintain, and systems that IT and security teams don't know about.

### Summary A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references: [1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/ #### Gadgets found in Astro We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the `<ViewTransitions />` component. ...

Education, including K-12 schools and universities, has become the third most targeted sector due to the high variety of sensitive data it stores in its databases.

### Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. **Not affected:** - The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value. - The Next.js application is hosted on Vercel. ### Patches This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version. ### Workarounds Ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned. #### Credits Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.

Another day, another ticketing platform breached!

Attackers can introduce a malicious document in systems such as Microsoft 365 Copilot to confuse the system, potentially leading to widespread misinformation and compromised decision-making processes.

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'country', 'state', 'locality', 'organization', and 'hostname' HTTP POST parameters called by the sslCertAjax.php script.

By combining human and nonhuman identity management in one solution, Flock Safety is helping law enforcement solve an impressive number of criminal cases every day.