Aggregator

A vulnerability marked as critical has been reported in Mantis. This issue affects some unknown processing of the component Authentication. Performing manipulation results in improper privilege management (Cookie). This vulnerability was named CVE-2002-1112. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

文章介绍了如何利用HTML注入漏洞进行JavaScript侦察（JS Recon），通过简单的HTML标签如``窃取API密钥、内部子域名和隐藏端点。文章分步骤讲解了如何找到注入点、编写payload、手动分析JS文件以及利用工具自动化探测。

The attack that resulted in the Salesloft Drift data breach started with the compromise of the company’s GitHub account, Salesloft confirmed this weekend. Supply chain compromise On August 26, the company publicly revealed that earlier that month, a threat actor exfiltrated data from their customers’ Salesforce instances by leveraging stolen OAuth credentials that enable the integration of their Drift (Salesloft) chatbot with said instances. Google Threat Intelligence Group attributed the attack to an attack group … More →

The post Salesloft Drift data breach: Investigation reveals how attackers got in appeared first on Help Net Security.

Google обвинили в избирательном спаме писем республиканцев.

A vulnerability described as problematic has been identified in sanitize-html up to 1.0.2. This vulnerability affects the function naughtyHref of the component Anchor Tag Handler. Executing manipulation can lead to cross site scripting. This vulnerability is tracked as CVE-2014-125128. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

A vulnerability marked as problematic has been reported in sanitize-html 1.4.3. This affects the function sanitizeHtml of the file index.js. Performing manipulation of the argument transformTags results in cross site scripting. This vulnerability is identified as CVE-2019-25225. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in ITCube CRM up to 2025.2. Affected by this issue is some unknown functionality. Such manipulation of the argument fileName leads to path traversal. This vulnerability is referenced as CVE-2025-5993. It is possible to launch the attack remotely. No exploit is available.

在Meta BountyCon活动中，研究人员发现Facebook Messenger for Windows中的路径遍历漏洞可被利用并通过DLL劫持实现远程代码执行，最终获得$111,750奖金。

A vulnerability categorized as problematic has been discovered in Google Android. The impacted element is the function init. Such manipulation leads to out-of-bounds read. This vulnerability is listed as CVE-2023-21044. The attack must be carried out locally. There is no available exploit. It is advisable to implement a patch to correct this issue.

A vulnerability identified as problematic has been detected in Google Android. This affects an unknown function of the component cpif Handler. Performing manipulation results in out-of-bounds read. This vulnerability is cataloged as CVE-2023-21045. The attack must be initiated from a local position. There is no exploit available. Applying a patch is the recommended action to fix this issue.

A vulnerability was found in Google Android. It has been rated as problematic. The impacted element is an unknown function. Performing manipulation results in use after free. This vulnerability was named CVE-2023-21042. The attack needs to be approached locally. There is no available exploit. To fix this issue, it is recommended to deploy a patch.

A vulnerability categorized as problematic has been discovered in Google Android. This affects an unknown function. Executing manipulation can lead to use after free. The identification of this vulnerability is CVE-2023-21043. The attack can only be executed locally. There is no exploit available. It is advisable to implement a patch to correct this issue.

A vulnerability was found in Google Android. It has been rated as problematic. The affected element is the function dumpstateBoard of the file Dumpstate.cpp. This manipulation causes out-of-bounds read. This vulnerability is tracked as CVE-2023-21039. The attack is restricted to local execution. No exploit exists. To fix this issue, it is recommended to deploy a patch.

A vulnerability was found in Google Android. It has been classified as critical. Impacted is the function buildCommand of the file bluetooth_ccc.cc. This manipulation causes out-of-bounds write. This vulnerability is handled as CVE-2023-21040. It is possible to launch the attack on the local host. There is not any exploit available. It is suggested to install a patch to address this issue.

A vulnerability was found in Google Android. It has been declared as critical. The affected element is the function append_to_params of the file param_util.c. Such manipulation leads to out-of-bounds write. This vulnerability is uniquely identified as CVE-2023-21041. Local access is required to approach this attack. No exploit exists. A patch should be applied to remediate this issue.

A vulnerability was found in Google Android 24000736 and classified as critical. This issue affects the function cs40l2x_cp_trigger_queue_show of the file cs40l2x.c. The manipulation results in out-of-bounds write. This vulnerability is known as CVE-2023-21038. Attacking locally is a requirement. No exploit is available. Applying a patch is advised to resolve this issue.

文章介绍了一种利用Burp Suite检测操作系统命令注入漏洞的方法。通过分析网站潜在风险并手动测试，可识别该类漏洞。该方法基于真实bug bounty实践，强调合法测试的重要性。

For the latest discoveries in cyber research for the week of 8th September, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES A supply chain breach involving Salesloft’s Drift integration to Salesforce exposed sensitive customer data from multiple organizations, including Cloudflare, Zscaler, Palo Alto Networks, and Workiva. The attackers accessed Salesforce CRM systems via […]

The post 8th September – Threat Intelligence Report appeared first on Check Point Research.

Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same technology to advance a more positive future for AI in government.

To most on the American left, the DOGE end game is a dystopic vision of a government run by machines that benefits an elite few at the expense of the people. It includes AI ...

The post AI in Government appeared first on Security Boulevard.

文章探讨了埃隆·马斯克领导的美国政府效率部（DOGE）如何利用人工智能集中权力而非服务公众。尽管AI技术有潜力改善政府服务，但在当前政治环境下被用于大规模废除法规并削弱员工权益。作者呼吁通过透明度和伦理框架确保技术服务于公共利益。