Aggregator

#Wordpress 5.2.3未授权访问 #hubot-rocketchat LFI #Polkit权限提升

A vulnerability classified as problematic was found in Weight DN Shipping for WooCommerce Plugin up to 1.1 on WordPress. Affected by this vulnerability is an unknown functionality of the component Setting Handler. The manipulation leads to cross-site request forgery. This vulnerability is known as CVE-2024-11842. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in WP-SVG Plugin up to 0.9 on WordPress. Affected by this issue is some unknown functionality of the component Shortcode Attribute Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-11644. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in Float Block Plugin up to 1.7 on WordPress. This affects an unknown part of the component Setting Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-11645. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. This vulnerability is uniquely identified as CVE-2025-1341. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.

Биохимики раскрыли принцип работы клеточных ускорителей.

A Threat Actor Claims to be Selling a 0-day Shell Uploader Targeting Magento

Новое исследование подтверждает фазовый переход Андерсона для электромагнитных волн.

Name: EHAX CTF 2025 (an EHAX CTF event.)
Date: Feb. 15, 2025, 4 p.m. — 16 Feb. 2025, 16:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://ctf.ehax.tech/
Rating weight: 22.58
Event organizers: EHAX

Authors/Presenters: Paul Brownridge

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – I Am Still The Captain Now! appeared first on Security Boulevard.

今日暂未更新资讯~
更多最新文章，请访问SecWiki

A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. [...]

OpenAI 更新了其聊天机器人 ChatGPT 如何表现以及如何响应用户请求的指导方针 Model Spec，允许在适当的上下文下生成成人级内容如色情和血腥内容。OpenAI 称 ChatGPT 不应该生成色情、非法或非自愿性行为的描述、或极端血腥的内容，除非是在科学、历史、新闻、创意，或者其它敏感内容合适的上下文中。用户的测试显示 ChatGPT 确实放宽了其内容过滤器。OpenAI 强调儿童色情仍然是禁止的。

Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries. Microsoft Threat Intelligence researchers warn that threat actor Storm-2372, likely linked to Russia, has been targeting governments, NGOs, and various industries across multiple regions since August 2024. The attackers employ a phishing technique called […]

仅仅从问问题后，它接任务时的表现看，它已经比很多工作者“聪明”了

仅仅从问问题后，它接任务时的表现看，它已经比很多工作者“聪明”了

A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. This affects an unknown part of the file /search.php. The manipulation of the argument StateName/CityName/AreaName/CatId leads to sql injection. This vulnerability is uniquely identified as CVE-2025-1374. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Submit #499767 / VDB-295983

赛门铁克的研究人员报告，去年 11 月有黑客利用 Palo Alto Networks 的一个身份验证绕过高危漏洞 (CVE-2024-0012)入侵了南亚的一家中型软件和服务公司，从其内网窃取了管理员凭证，访问了 Veeam 服务器，找到了 AWS S3 凭证。在从 S3 中窃取敏感信息之后攻击者用 RA World 加密了该公司的 Windows 电脑，索要 200 万美元赎金，表示如果能在三天内付款，赎金将降至 100 万美元。安全研究人员发现攻击者使用了 PlugX 后门的一个定制版本，该后门被 Fireant aka Mustang Panda 或 Earth Preta 使用，认为黑客可能是兼职任勒索软件攻击者。

The post PCI DSS 4: Compliance Guide for SAQ A-EP Merchants to comply with Requirements 6.4.3 and 11.6.1 appeared first on Feroot Security.

The post PCI DSS 4: Compliance Guide for SAQ A-EP Merchants to comply with Requirements 6.4.3 and 11.6.1 appeared first on Security Boulevard.