Aggregator

根据国家信息安全漏洞库（CNNVD）统计，本周（2024年10月7日至2024年10月13日）安全漏洞情况如下。

A vulnerability was found in Booking.com Banner Creator Plugin up to 1.4.6 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-49265. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Thimo Grauerholz WP-Spreadplugin Plugin up to 4.8.9 on WordPress and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-49266. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Docker Desktop up to 4.34.2. This affects an unknown part of the component Build View. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2024-9348. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in nayon46 Unlimited Addon for Elementor Plugin up to 2.0.0 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-49267. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as very critical has been found in Adobe Flash Player up to 21.0.0.213 on Windows. This affects an unknown part. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2016-4114. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

在订阅服务遍地的时代，订阅一项服务本身是十分简单的，然而取消订阅却是众所周知的繁琐。现在，FTC 终于决定对此类做法进行打击。它宣布了 click-to-cancel 规定的最终稿，要求让消费者能像注册一样轻松取消订阅。其大部分条款将在《Federal Register》上公布 180 天后生效。FTC 主席 Lina M. Khan 表示，该机构的规定将让美国人节省时间和金钱，没人应为其不再需要的服务付费。

美国联邦和州政府已发布至少十余个漏洞奖励计划

给予警告，并处以罚款行政处罚

A vulnerability classified as problematic has been found in McAfee Asset Manager 6.6. This affects an unknown part. The manipulation of the argument reportFileName leads to path traversal. This vulnerability is uniquely identified as CVE-2014-2588. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Google 的内部分析估计，四分之三的 0day 漏洞利用属于内存安全漏洞。为了减少此类漏洞，Google 多年来一直在推动使用内存安全语言，减少内存不安全代码的风险。它没有试图用内存安全语言完全重写相关的成熟代码，而是在新代码开发中尽可能的使用内存安全语言。它正将高性能内存安全语言 Rust 的使用范围从 Android 扩大到服务器、应用程序和嵌入式生态系统中。它在 Android 的网络、固件和图形堆栈部分使用了包括 Rust 在内的内存安全语言，过去几年 Android 系统报告的内存安全漏洞显著减少，从 2019 年的 220 多个降至今年年底的大约 36 个。这一结果证明了其战略转移的有效性。

CA/B testing: Ludicrous proposal draws ire from “furious” systems administrators.

The post Apple Enrages IT — 45-Day Cert Expiration Fury appeared first on Security Boulevard.

Fortinet has made generally available a version of the CNAPP it gained that is now integrated with the Fortinet Security Fabric, an orchestration framework the company developed to centralize the management of its cybersecurity portfolio.

The post Fortinet Integrates Lacework CNAPP into Cybersecurity Portfolio appeared first on Security Boulevard.

A new Bugcrowd study shows 71% of ethical hackers now see AI boosting hacking value, up from 21% in 2023

拍摄于 2024 年 10 月 15 日傍晚，均为单张曝光。 去年年初去追了 ZTF 彗星。因为设备和技术限制只拍到一个小绿点，兴奋不已。没想到这只是前菜。最近又被紫金山-阿特拉斯彗星的消息刷屏。 九月底彗星还是晨星的那几天，我正好又在加那利岛，但是连续几天都不想四五点早起上山。 拖到上周末开始北半球可以在日落后观赏，我追了三天都没见到，复盘才发现误会了时间点，走太早了。15 日打算最后尝试一次，越往后亮度会锐减，能不能继续看到就不好说了。 蹭朋友车上了山，原本影响观测的云变成了脚下的云海。日落后半小时就已经可以用相机捕捉到彗星，但这时候比较难定位。接下来的半小时逐渐变亮，连彗尾一起肉眼可见。震惊得无以言表。无需长曝光，在手机取景器实时预览里就非常清晰。 难以想象当年海尔-波普甚至池谷-关彗星该有多壮观。

A vulnerability classified as critical has been found in Linux Kernel up to 6.6.32/6.9.3. Affected is the function cpu5wdt_trigger of the file cpu5wdt.c of the component 5wdt Module. The manipulation leads to use after free. This vulnerability is traded as CVE-2024-38630. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.