%term

Security Bulletin: Critical Apache Roller Vulnerability Enables Unauthorized Session Persistence

Apr 17, 2025 By Lauren Farrell In Centripetal

CVE-2025-24859 is a critical security vulnerability in Apache Roller, a Java-based web application used for blogging and content management, that allows unauthorized session reuse due to insufficient session expiration after a user’s password is changed. Notably, the application fails to invalidate active user sessions upon password modification, irrespective of whether the change is initiated by the user or an administrative entity.

Read Post

Centripetal

Read more about Security Bulletin: Critical Apache Roller Vulnerability Enables Unauthorized Session Persistence

SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions

Apr 16, 2025 By SquareX

SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled "Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out", the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser.

Read Post

Read more about SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions

The Future of CVE Is at Risk-What the End of MITRE's Role Could Mean for Cybersecurity

Apr 16, 2025 By Ben Hirschberg In ARMO

With DHS ending MITRE’s CVE funding, the future of global vulnerability tracking is uncertain. Here’s what it means for security teams and what comes next.

Read Post

ARMO

Read more about The Future of CVE Is at Risk-What the End of MITRE's Role Could Mean for Cybersecurity

Snyk's Statement on the MITRE CVEs Program Funding Update

Apr 16, 2025 By Danny Allan In Snyk

Over the past several days, the cybersecurity community has watched closely as uncertainty swirled around the future of the MITRE-run CVE (Common Vulnerabilities and Exposures) program following a letter to its board of directors that its federal funding could abruptly end. As of this blog posting, news outlets like Reuters are reporting that a last-minute extension has been granted, providing temporary relief.

Read Post

Snyk

Read more about Snyk's Statement on the MITRE CVEs Program Funding Update

The CVE Program Is on Life Support - and So Is Our Outdated Approach to Vulnerability Management

Apr 16, 2025 By Marc Gaffan In IONIX

The cybersecurity community is facing a seismic shift. MITRE’s announcement that its contract to operate the Common Vulnerabilities and Exposures (CVE) program will expire on April 16, 2025, without a clear renewal plan, has sent shockwaves through the industry. This development threatens to dismantle a cornerstone of global cybersecurity coordination.

Read Post

IONIX

Read more about The CVE Program Is on Life Support - and So Is Our Outdated Approach to Vulnerability Management

Responsible vulnerability disclosure: Why it matters

Apr 16, 2025 By Marcus White In Outpost 24

The concept of responsible disclosure is a simple one. If you find a vulnerability, you let the affected organization or software vendor know before making the information public. This gives them time to patch the vulnerability before it can be exploited. It also helps maintain trust and fosters a collaborative environment between security researchers and companies. As a cybersecurity vendor, do we want our researchers to be credited when they discover vulnerabilities? Of course.

Read Post

Outpost 24

Read more about Responsible vulnerability disclosure: Why it matters

Vector and Embedding Weaknesses in AI Systems

Apr 16, 2025 By Bar-El Tayouri In Mend

AI security threats are evolving at roughly the same speed that AI itself is: extremely fast. One of the most recent—and least understood—vulnerabilities involves vector and embedding weaknesses. These issues have gained attention with their addition to the OWASP Top 10 for LLMs, and the risks are becoming more urgent as Retrieval-Augmented Generation (RAG) continues to dominate enterprise AI adoption.

Read Post

Mend

Read more about Vector and Embedding Weaknesses in AI Systems

MITRE CVE Program Uncertainty: Mend.io's commitment to uninterrupted vulnerability protection

Apr 16, 2025 By Mend.io Communications In Mend

As many of you may know, MITRE’s DHS contract to manage the CVE and CWE programs expired on April 16, 2025. While emergency funding has since been restored for a short time, the long-term future of these programs still remains uncertain. Understandably, this situation has raised concerns throughout the cybersecurity community about the stability and continuity of vulnerability tracking and management systems that many organizations have come to rely upon.

Read Post

Mend

Read more about MITRE CVE Program Uncertainty: Mend.io's commitment to uninterrupted vulnerability protection

Claude AI Reads and UNDERSTANDS an Image...

Apr 16, 2025 By Snyk In Snyk

Claude AI Reads and UNDERSTANDS an Image...

View Video

Snyk

Read more about Claude AI Reads and UNDERSTANDS an Image...

Homograph attacks: How hackers exploit look-alike domains

Apr 16, 2025 By Marcus White In Outpost 24

Several years ago, a security researcher discovered a vulnerability in Google Chrome that allowed fake domains to bypass the browser’s security measures. The researcher registered a domain that appeared as “xn--80ak6aa92e.com” but displayed as “apple.com” in the browser, demonstrating how easy it was to deceive users. This is just one example of what’s known as a homograph attack, or sometimes a ‘look-a-like domain’.

Read Post