Aggregator

作者：知道创宇404实验室 2024年，网络安全领域接连曝出了一系列高危漏洞，这些漏洞不仅影响范围广泛，而且破坏力极大，对全球的网络安全构成了严峻挑战。以下是我们从今年的安全漏洞应急中总结出的一些颇具危害性和影响力的网络安全漏洞，排名不分先后，当然，我们也从Seebug漏洞平台访问数据和ZoomEye网络空间搜索引擎对应搜索出来的受影响量级中筛选出了排名相对靠前的漏洞，附在文末供大家参考。通...

error code: 521

HackerNews 编译，转载请注明出处： 全球一些知名酒店连锁的客户个人信息在一次针对行业软件供应商的攻击中遭到泄露。 该攻击者似乎未经授权访问了酒店管理软件供应商Otelier的系统。Otelier提供的基于云的酒店管理软件帮助酒店优化运营，声称支持全球10,000多家酒店品牌、业主和运营商。 根据数据泄露通知网站HaveIBeenPwned（HIBP）的消息，攻击者在2024年访问了Otelier系统，窃取了包括万豪、希尔顿和凯悦等品牌的客户数据。 HIBP在周末将该泄露事件中的近50万个独立账户加入了其数据库。 “泄露的数据包括437,000个客户电子邮件地址（另外868,000个来自booking.com和Expedia平台生成的电子邮件地址未加载到HIBP中）、姓名、住址、电话号码、与旅行计划相关的预订信息、平台记录的购买信息，以及少数情况下的部分信用卡数据，”HIBP的记录中写道。 “数据由一位请求将其归因于ayame@xmpp.jp的来源提供给HIBP。” 更多酒店行业数据泄露事件：洲际酒店确认网络攻击，导致两天宕机。 暗网监控公司WhiteIntel的威胁研究人员在社交媒体上透露了更多关于此次事件的细节，称其可能源于信息窃取恶意软件。 “我们发现了几个由信息窃取者驱动的凭证泄露事件，这些泄露似乎导致了未经授权访问Otelier的GitHub和Atlassian实例，”该公司在X（前Twitter）上的一篇帖子中表示。“与信息窃取者相关的泄露风险每天都在增加。” 2024年10月，DarkWebInformer的威胁情报研究人员警告称，名为“worry”的攻击者在BreachForums上出售了从Otelier（前身为MyDigitalOffice，MDO）窃取的数据库。 此次事件凸显了组织在管理广泛数字供应链风险时所面临的挑战。根据非营利组织身份盗窃资源中心（ITRC）的数据，2024年第一季度受到供应链泄露威胁影响的公司数量相比2023年同期增长了三倍多。 酒店行业由于存储大量客户个人和财务数据，成为了一个特别具吸引力的攻击目标。 2024年，万豪酒店同意支付5200万美元的和解费，解决涉及超过1.31亿美国客户的大规模多年的数据泄露事件。   消息来源：Infosecurity Magazine, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as critical, was found in phpBB Advanced Quick Reply Hack 1.0.0/1.1.0. This affects an unknown part of the file quick_reply.php. The manipulation of the argument phpbb_root_path leads to code injection. This vulnerability is uniquely identified as CVE-2002-2287. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

IDC 的数据显示，2024 年第四季度，中国智能手机市场出货量约 7,643 万台，同比增长 3.9%。各价位段新品的集中上市以及部分省市开始的新机购买补贴政策推动整体市场延续了之前 4 个季度的增长趋势。vivo、华为和小米等厂商的强势表现帮助 Android 市场增幅超过 7%；但是 iPhone16 系列销售难有起色，使得 iOS 市场继续同比下降。2024 年全年中国智能手机市场出货量约 2.86 亿台，同比增长 5.6%，时隔两年触底反弹。其中华为出货量同比增长超过 50% 占 16.6% 排名第二，苹果则下降 5.4% 占 15.6% 排名第三，vivo 同比增长 10.3% 占 17.2% 排名第一。苹果在 800 美元以上市场份额依然占据 60%。

A vulnerability was found in Maulana Al Matien ardeaCore PHP Framework 2.2 and classified as critical. This issue affects some unknown processing in the library ardeaCore/lib/core/ardeaInit.php of the file ardeaCore/lib/core/ardeaInit.php. The manipulation of the argument pathForArdeaCore leads to code injection. The identification of this vulnerability is CVE-2010-4998. The attack may be initiated remotely. Furthermore, there is an exploit available.

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may

在使用 Apache Shiro 与 Spring 集成时，如果 Apache Shiro 的版本低于 1.7.0，经过精心构造的 HTTP 请求可能会导致身份验证绕过。

主站 分类 漏洞 工具 极客

卡巴斯基披露了在梅赛德斯-奔驰信息娱乐系统中发现的十多个漏洞的细节，但奔驰保证这些安全漏洞已经得到修复。

A vulnerability has been found in Nusoftware nuBuilder up to 10.04.20 and classified as critical. This vulnerability affects unknown code of the file productionnu2/fileuploader.php of the component Uploader. The manipulation of the argument dir leads to path traversal. This vulnerability was named CVE-2010-2850. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1. This issue affects some unknown processing. The manipulation leads to path traversal. The identification of this vulnerability is CVE-2010-2861. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Adobe Shockwave Player up to 8.0.195 and classified as very critical. This issue affects some unknown processing in the library DIRAPI.dll. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2010-2882. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Adobe Shockwave Player up to 8.0.195 and classified as very critical. This vulnerability affects unknown code in the library IML32.dll. The manipulation leads to memory corruption. This vulnerability was named CVE-2010-2881. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Adobe Acrobat Reader and classified as critical. This vulnerability affects unknown code. The manipulation leads to memory corruption. This vulnerability was named CVE-2010-3658. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Solaris, OpenUnix and UnixWare and classified as critical. Affected by this vulnerability is the function syserr/error of the file in.rarpd of the component ARP Server. The manipulation leads to format string. This vulnerability is known as CVE-2002-0884. The attack can be launched remotely. There is no exploit available.