Aggregator

A vulnerability labeled as critical has been found in ITCube CRM up to 2025.2. Affected by this issue is some unknown functionality. Such manipulation of the argument fileName leads to path traversal. This vulnerability is referenced as CVE-2025-5993. It is possible to launch the attack remotely. No exploit is available.

在Meta BountyCon活动中，研究人员发现Facebook Messenger for Windows中的路径遍历漏洞可被利用并通过DLL劫持实现远程代码执行，最终获得$111,750奖金。

A vulnerability categorized as problematic has been discovered in Google Android. The impacted element is the function init. Such manipulation leads to out-of-bounds read. This vulnerability is listed as CVE-2023-21044. The attack must be carried out locally. There is no available exploit. It is advisable to implement a patch to correct this issue.

A vulnerability identified as problematic has been detected in Google Android. This affects an unknown function of the component cpif Handler. Performing manipulation results in out-of-bounds read. This vulnerability is cataloged as CVE-2023-21045. The attack must be initiated from a local position. There is no exploit available. Applying a patch is the recommended action to fix this issue.

A vulnerability was found in Google Android. It has been rated as problematic. The impacted element is an unknown function. Performing manipulation results in use after free. This vulnerability was named CVE-2023-21042. The attack needs to be approached locally. There is no available exploit. To fix this issue, it is recommended to deploy a patch.

A vulnerability categorized as problematic has been discovered in Google Android. This affects an unknown function. Executing manipulation can lead to use after free. The identification of this vulnerability is CVE-2023-21043. The attack can only be executed locally. There is no exploit available. It is advisable to implement a patch to correct this issue.

A vulnerability was found in Google Android. It has been rated as problematic. The affected element is the function dumpstateBoard of the file Dumpstate.cpp. This manipulation causes out-of-bounds read. This vulnerability is tracked as CVE-2023-21039. The attack is restricted to local execution. No exploit exists. To fix this issue, it is recommended to deploy a patch.

A vulnerability was found in Google Android. It has been classified as critical. Impacted is the function buildCommand of the file bluetooth_ccc.cc. This manipulation causes out-of-bounds write. This vulnerability is handled as CVE-2023-21040. It is possible to launch the attack on the local host. There is not any exploit available. It is suggested to install a patch to address this issue.

A vulnerability was found in Google Android. It has been declared as critical. The affected element is the function append_to_params of the file param_util.c. Such manipulation leads to out-of-bounds write. This vulnerability is uniquely identified as CVE-2023-21041. Local access is required to approach this attack. No exploit exists. A patch should be applied to remediate this issue.

A vulnerability was found in Google Android 24000736 and classified as critical. This issue affects the function cs40l2x_cp_trigger_queue_show of the file cs40l2x.c. The manipulation results in out-of-bounds write. This vulnerability is known as CVE-2023-21038. Attacking locally is a requirement. No exploit is available. Applying a patch is advised to resolve this issue.

文章介绍了一种利用Burp Suite检测操作系统命令注入漏洞的方法。通过分析网站潜在风险并手动测试，可识别该类漏洞。该方法基于真实bug bounty实践，强调合法测试的重要性。

For the latest discoveries in cyber research for the week of 8th September, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES A supply chain breach involving Salesloft’s Drift integration to Salesforce exposed sensitive customer data from multiple organizations, including Cloudflare, Zscaler, Palo Alto Networks, and Workiva. The attackers accessed Salesforce CRM systems via […]

The post 8th September – Threat Intelligence Report appeared first on Check Point Research.

Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same technology to advance a more positive future for AI in government.

To most on the American left, the DOGE end game is a dystopic vision of a government run by machines that benefits an elite few at the expense of the people. It includes AI ...

The post AI in Government appeared first on Security Boulevard.

文章探讨了埃隆·马斯克领导的美国政府效率部（DOGE）如何利用人工智能集中权力而非服务公众。尽管AI技术有潜力改善政府服务，但在当前政治环境下被用于大规模废除法规并削弱员工权益。作者呼吁通过透明度和伦理框架确保技术服务于公共利益。

Android蓝牙栈新漏洞CVE-2025–48539被披露，评分8.0级。该漏洞源于acl_arbiter.cc中的use-after-free条件，允许邻近网络攻击者无需用户交互即可触发越界读取并执行任意代码。影响广泛企业设备已被定向攻击Google已确认野外利用。防御建议包括应用内核补丁禁用非必要蓝牙监控异常流量。

一位开发者在测试无服务器平台时，因API调用参数错误触发了1000多个虚拟服务器启动，导致2.5万美元云账单和账户被封。平台随后奖励7500美元漏洞赏金并恢复访问。

开发者在测试无服务器平台时因API调用参数错误触发系统生成1,000多个虚拟服务器，导致25,000美元云账单并被封禁。平台发现漏洞后奖励7,500美元并恢复访问。

参数隐藏是一种利用Web应用组件处理查询参数差异的缓存中毒技术，允许攻击者绕过缓存键、投毒响应并大规模传播恶意内容。

文章介绍了一种名为参数隐藏的网络缓存中毒技术，攻击者可借此绕过缓存键、污染响应并大规模传播恶意内容。该技术利用Web应用不同组件对查询参数的处理差异，在实验室场景中发现缓存系统忽略某些参数（如UTM跟踪值），而后台应用仍处理这些参数，导致恶意内容注入缓存并影响大量用户。

介绍如何利用Burp Suite手动检测OS命令注入漏洞的方法，强调其严重性和潜在风险，并提供实际步骤指导。