Aggregator

A vulnerability classified as critical has been found in libexpat up to 2.4.3. Affected is the function XML_GetBuffer. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2022-23852. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in libexpat up to 2.4.3. This vulnerability affects the function doProlog. The manipulation leads to integer overflow. This vulnerability was named CVE-2022-23990. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in GLPI up to 9.5.6. Affected is an unknown function. The manipulation leads to sql injection. This vulnerability is traded as CVE-2022-21720. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Plone Products.ATContentTypes up to 3.0.5. This affects an unknown part. The manipulation leads to open redirect. This vulnerability is uniquely identified as CVE-2022-23599. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as very critical was found in Oracle Communications MetaSolv Solution 6.3.1. Affected by this vulnerability is an unknown functionality of the component User Interface. The manipulation leads to integer overflow. This vulnerability is known as CVE-2022-23990. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Communications Cloud Native Core Console 1.9.0. It has been rated as very critical. Affected by this issue is some unknown functionality of the component CNC Console. The manipulation leads to code injection. This vulnerability is handled as CVE-2022-23221. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Healthcare Translational Research up to 4.1.1.1. It has been rated as very critical. This issue affects some unknown processing of the component Data Studio. The manipulation leads to code injection. The identification of this vulnerability is CVE-2022-23221. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as very critical has been found in Oracle SOA Suite 12.2.1.4.0. This affects an unknown part of the component B2B Engine. The manipulation leads to argument injection. This vulnerability is uniquely identified as CVE-2022-23221. It is possible to initiate the attack remotely. There is no exploit available.

HackerNews 编译，转载请注明出处： 应用安全领域正面临一个持续十余年的悖论：检测工具越先进，警报结果却越无用。随着静态分析工具、扫描器和CVE数据库的警报激增，真正的安全保障却愈发遥不可及。取而代之的是警报疲劳与不堪重负的团队——这已成为行业新常态。 根据OX Security的《2025年应用安全基准报告》，95-98%的应用安全警报无需采取行动——事实上，这些警报对组织的危害可能大于帮助。我们的研究覆盖178个组织的1.01亿个安全检测结果，揭示了现代应用安全运营的低效。每个组织平均收到近57万条警报，其中仅有202条代表真实关键问题。 这个令人震惊的结论难以忽视：安全团队正在追逐幻影，将时间浪费在对无实际威胁漏洞的处置上，消耗预算，并与开发团队关系紧张。最糟糕的是——安全正在阻碍实际创新。正如Chris Hughes所言：“我们以业务赋能者自居，实则将同事埋没于苦工，延缓开发速度，最终损害业务成果。” 回溯2015年，全球公开披露的CVE漏洞仅6,494个，彼时检测能力被视为核心指标。十年间，云原生应用普及、开发周期提速、攻击面扩张，至2025年全球CVE漏洞总数已突破20万。然而，多数安全工具仍固守“检测为王”逻辑，向控制面板倾泻未经筛选、缺乏上下文的警报。 OX的基准报告证实了从业者长期怀疑的现象： 32%的已报告问题存在低利用概率 25%没有已知公开漏洞利用 25%源于未使用或仅用于开发的依赖项 这种无关检测结果的洪流不仅拖慢安全速度——更在主动削弱安全效能。 为对抗这种厄运循环，组织必须采用基于证据优先级的更复杂应用安全方法。这需要从通用警报处理转向涵盖从设计阶段到运行时代码的全面模型，包含以下要素： 可达性：漏洞代码是否被使用，是否可访问？ 可利用性：该环境中是否存在漏洞利用条件？ 业务影响：此处被攻破会造成实际损害吗？ 云到代码映射：该问题在SDLC中起源于何处？ 通过实施此类框架，组织能有效过滤噪音，专注于构成真实威胁的少数警报。这能提升安全效能，释放宝贵资源，并支持更自信的开发实践。OX Security正通过代码投影（Code Projection）应对这一挑战——这项基于证据的安全技术将云和运行时元素映射回代码源头，实现上下文理解和动态风险优先级排序。 通过基于证据的优先级排序，每个组织平均569,354条警报可缩减至11,836条，其中仅202条需立即处置。行业基准揭示多个关键洞见： 一致的噪音阈值：无论企业或商业环境，不同行业的基线噪音水平惊人相似 企业安全复杂性：企业环境因更广泛的工具生态、更大的应用覆盖、更多的安全事件、更频繁的事件和更高的整体风险敞口面临更大挑战 金融行业脆弱性：金融机构警报量显著更高。其对金融交易和敏感数据的处理使其成为高价值目标。如《Verizon数据泄露调查报告》所示，95%的攻击者主要动机是经济利益而非间谍活动。金融机构与货币资产的密切关系为攻击者创造了直接获利机会 这些发现具有深远影响。如果少于5%的应用安全修复对组织至关重要，那么所有组织在分类、编程和网络安全工时上的巨额投入都将徒劳。这种浪费延伸至漏洞赏金计划支付（白帽黑客发现需修复的漏洞），以及未及时发现并进入生产环境的漏洞修复成本。最终重大成本是开发团队与安全团队之间因要求修复无关漏洞而产生的紧张关系。 面对2025年预计新增的5万个漏洞，传统“全检测、后修复”模式已显危险。OX报告强调应用安全的未来不在于修复所有潜在漏洞，而在于智能识别真实风险。当企业能将97.8%的无效警报过滤，安全团队方能摆脱“救火队”角色，真正成为业务创新的护航者。          消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as critical was found in Subrion CMS 4.2.1. This vulnerability affects unknown code of the file phrases/add/. The manipulation leads to injection. This vulnerability was named CVE-2020-12468. Local access is required to approach this attack. There is no exploit available.

A vulnerability was found in MonoX up to 5.1.40.5152 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting (Stored). This vulnerability is handled as CVE-2020-12472. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Handy Groupware 1.7.3.1 on Windows. Affected by this issue is the function ShellExec in the library HShell.dll of the component ActiveX Control. The manipulation as part of Command leads to os command injection. This vulnerability is handled as CVE-2020-7804. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in WordPress. It has been rated as problematic. This issue affects some unknown processing of the component Navigation Section. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2020-11025. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apache OFBiz 17.12.01. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. This vulnerability is traded as CVE-2019-0235. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic has been found in WordPress. Affected is an unknown function of the component Media Section. The manipulation leads to improper neutralization. This vulnerability is traded as CVE-2020-11026. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in WordPress. Affected by this vulnerability is an unknown functionality of the component Password Reset Link. The manipulation leads to operation on a resource after expiration. This vulnerability is known as CVE-2020-11027. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in WordPress. Affected by this issue is some unknown functionality of the component Private Post Handler. The manipulation leads to improper access controls. This vulnerability is handled as CVE-2020-11028. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in TinyWebGallery 1.8.3. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation of the argument command leads to memory corruption. This vulnerability is handled as CVE-2012-5347. The attack may be launched remotely. Furthermore, there is an exploit available.

HackerNews 编译，转载请注明出处： 微软宣布重大账户安全升级：新用户注册将默认启用无密码登录。继2023年为消费者账户推出通行密钥（Passkey）支持后，微软进一步调整策略，强制新账户采用防钓鱼认证方式。微软身份认证部门负责人Joy Chik与安全副总裁Vasu Jakkal表示：“全新微软账户现默认无密码。新用户可通过多种无密码方式登录账户，且无需设置密码。现有用户可前往账户设置删除密码。” 此次更新简化了登录与注册流程，优先展示无密码选项。此外，登录流程现已自动检测用户账户可用的最佳认证方式并设为默认。例如，若某账户支持密码和“一次性验证码”登录，系统将引导用户选择后者。成功登录后，用户将收到设置通行密钥的提示以增强安全防护。微软此举与苹果、谷歌、亚马逊等科技企业近年举措同步，标志着行业向无密码时代稳步迈进。鉴于基于密码的网络攻击仍是攻击者主要入侵手段，通行密钥的普及预示着账户安全的重要变革。 2023年9月，微软在Windows 11中引入通行密钥支持，同期谷歌将其设为全球用户默认登录方式。2024年，微软更新Windows Hello生物识别系统以兼容该技术。通行密钥通过消除密码需求提供更安全登录方案，其技术基础由FIDO联盟推动的公钥加密体系支撑。用户注册在线服务时，其客户端设备（如手机或电脑）生成密钥对：私钥安全存储于本地，公钥上传至服务端。登录时，用户通过生物识别（如面容或指纹）验证身份后，设备使用私钥签署验证请求完成认证。 2024年10月，FIDO联盟宣布正与各方合作优化通行密钥跨平台导出功能，改善凭证提供商的互操作性。截至去年12月，全球超150亿用户账户已支持通行密钥登录。该联盟上月还成立支付工作组（PWG），旨在制定支付场景的FIDO解决方案，重点评估现有及新兴支付认证技术，并制定通行密钥与现有支付技术融合的指导规范。 消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

美军以生物防御为由，在中国周边部署了大量的生物研究基地和站点，和许多国家以防治传染病为名开展了广泛的生物监测与生物研究合作。