Aggregator

A vulnerability classified as problematic was found in WP Hotel Booking Plugin up to 2.0.7 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2023-5651. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 华硕确认了一个影响启用AiCloud功能路由器的严重安全漏洞，远程攻击者可借此在受影响设备上执行未授权功能。 该漏洞编号为CVE-2025-2492，CVSS评分为9.2（满分10.0）。 “特定华硕路由器固件系列存在认证控制不当漏洞，”华硕在公告中表示。”此漏洞可通过构造请求触发，可能导致未授权功能执行。” 华硕已通过以下固件分支的更新修复该缺陷： 3.0.0.4_382 3.0.0.4_386 3.0.0.4_388 3.0.0.6_102 为获得最佳防护，建议用户将设备升级至最新固件版本。 华硕建议，”请为无线网络和路由器管理页面设置不同密码。使用至少10位字符的密码，包含大写字母、数字和符号。” “不要在多台设备或服务中使用相同密码。避免使用连续数字或字母的密码，例如1234567890、abcdefghij或qwertyuiop。” 若无法立即更新补丁或路由器已停产（EoL），请确保登录密码和Wi-Fi密码强度足够。 另一解决方案是禁用AiCloud及所有可从互联网访问的服务，包括：WAN远程访问、端口转发、DDNS、VPN服务器、DMZ、端口触发和FTP。     消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in EyouCMS 1.6.4. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2023-46935. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Checkmk up to 2.0.0p39/2.1.0p36/2.2.0p14. This issue affects some unknown processing of the component User-Message Handler. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2023-6251. The attack may be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, was found in LibTIFF. Affected is the function TIFFOpen of the file tif_dirread.c of the component File Handler. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2023-6277. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in LibTIFF and classified as critical. This issue affects the function cpStripToTile of the file tools/tiffcp.c. The manipulation leads to heap-based buffer overflow. The identification of this vulnerability is CVE-2023-6228. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in Apryse iText 8.0.2. This vulnerability affects the function main of the file PdfDocument.java. The manipulation leads to improper validation of array index. This vulnerability was named CVE-2023-6298. The attack can be initiated remotely. Furthermore, there is an exploit available. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way. A statement published afterwards explains that the exception is not a vulnerability and the identified CWEs might not apply to the software.

A vulnerability classified as critical was found in Artifex jbig2dec 0.20. This vulnerability affects the function jbig2_error of the file /jbig2dec/jbig2.c. The manipulation leads to memory corruption. This vulnerability was named CVE-2023-46361. The attack can be initiated remotely. There is no exploit available.

"新型安卓恶意软件SuperCard X通过NFC中继攻击窃取银行卡数据！"

A vulnerability was found in GoBGP up to 3.34.x and classified as problematic. Affected by this issue is some unknown functionality of the file pkg/packet/bgp/bgp.go of the component Flowspec Parser. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-43972. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in GoBGP up to 3.34.x and classified as critical. Affected by this vulnerability is the function softwareVersionLen of the file pkg/packet/bgp/bgp.go. The manipulation leads to off-by-one. This vulnerability is known as CVE-2025-43971. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in GoBGP up to 3.34.x. Affected is an unknown function of the file pkg/packet/rtr/rtr.go of the component RTR Message Handler. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2025-43973. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in GoBGP up to 3.34.x. This issue affects some unknown processing of the file pkg/packet/mrt/mrt.go. The manipulation leads to improper validation of specified quantity in input. The identification of this vulnerability is CVE-2025-43970. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in KnowBe4 Security Awareness Training. This vulnerability affects unknown code of the component javascript URL Handler. The manipulation of the argument window.location.href leads to cross site scripting. This vulnerability was named CVE-2020-36844. The attack can be initiated remotely. There is no exploit available. This product is available as a managed service. Users are not able to maintain vulnerability countermeasures themselves. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in struktur libheif up to 1.19.5. This affects the function ImageItem_Grid::get_decoder of the file image-items/grid.cc. The manipulation leads to null pointer dereference. This vulnerability is uniquely identified as CVE-2025-43967. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in struktur libheif up to 1.19.5. It has been rated as problematic. Affected by this issue is the function ImageItem_iden of the file image-items/iden.cc. The manipulation leads to null pointer dereference. This vulnerability is handled as CVE-2025-43966. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in LibRaw up to 0.21.3. It has been declared as problematic. Affected by this vulnerability is the function phase_one_correct of the file decoders/load_mfbacks.cpp of the component 0x041f Tag Processing Handler. The manipulation of the argument split_col/split_row leads to out-of-bounds read. This vulnerability is known as CVE-2025-43963. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in LibRaw up to 0.21.3. It has been classified as problematic. Affected is an unknown function of the file metadata/tiff.cpp of the component Fujifilm 0xf00c Tag Parser. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2025-43961. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Convertigo up to 8.3.4 and classified as problematic. This issue affects the function TwsCachedXPathAPI of the component API. The manipulation leads to exposed dangerous routine. The identification of this vulnerability is CVE-2025-43955. Attacking locally is a requirement. There is no exploit available.

A vulnerability has been found in LibRaw up to 0.21.3 and classified as problematic. This vulnerability affects the function phase_one_correct of the file decoders/load_mfbacks.cpp. The manipulation of the argument w0/w1 leads to out-of-bounds read. This vulnerability was named CVE-2025-43962. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.