Aggregator

本文深入分析了 Android 系统中与 Parcel 反序列化相关的安全漏洞及其防御机制，重点讨论安卓13引入的LazyValue机制如何缓解此类漏洞，并详细剖析两个典型的提权漏洞（的利用方式及修复方案。

A vulnerability, which was classified as problematic, has been found in Booking X Plugin up to 1.1.2 on WordPress. Affected by this issue is the function export_now of the component HTTP POST Request Handler. The manipulation leads to missing authorization. This vulnerability is handled as CVE-2025-6814. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in GoZen Forms Plugin up to 1.1.5 on WordPress and classified as critical. This vulnerability affects the function emdedSc. The manipulation of the argument ID leads to sql injection. This vulnerability was named CVE-2025-6783. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in GoZen Forms Plugin up to 1.1.5 on WordPress and classified as critical. This issue affects the function dirGZActiveForm. The manipulation of the argument forms-id leads to sql injection. The identification of this vulnerability is CVE-2025-6782. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Smart Docs Plugin up to 1.1.0 on WordPress. This affects the function smartdocs_search of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-6787. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic was found in Portfolio for Elementor & Image Gallery Plugin up to 3.2.0/3.2.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2025-7046. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The identification of this vulnerability is CVE-2025-7053. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly.

HackerNews 编译，转载请注明出处： 思科公司已发布安全更新，修复其统一通信管理器（Unified Communications Manager，简称Unified CM）和统一通信管理器会话管理版（Unified CM SME）中的一个最高严重级别安全漏洞。该漏洞可能允许攻击者以root用户身份登录受影响的设备，从而获得权限提升。 该漏洞编号为CVE-2025-20309，CVSS评分为10.0。 思科在周三发布的公告中表示：“此漏洞源于为开发阶段预留的root账户静态用户凭证。攻击者可能利用该账户登录受影响系统。成功利用漏洞后，攻击者能够以root用户身份登录系统并执行任意命令。” 此类硬编码凭证通常源自开发阶段的测试或临时修复，但绝不应出现在生产环境中。对于处理企业语音通话和通信的Unified CM等工具而言，root权限可能使攻击者进一步渗透网络、窃听通话或篡改用户登录方式。 这家网络设备巨头表示，目前尚未发现该漏洞在野外被利用的证据，且漏洞是在内部安全测试期间发现的。 CVE-2025-20309影响Unified CM和Unified CM SME的15.0.1.13010-1至15.0.1.13017-1版本，与设备配置无关。 此次漏洞修复距思科修复身份服务引擎（ISE）和ISE被动身份连接器中的两个安全漏洞（CVE-2025-20281和CVE-2025-20282）仅数日。后两个漏洞可能允许未经身份验证的攻击者以root用户身份执行任意命令。   消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

文章描述了错误代码521的原因、影响及解决措施。

Adrian Lamo 认为黑客是天生的，强调好奇心和动手能力的重要性。他指出黑客的本质在于对技术的热爱和探索精神，并认为这种特质无法通过学习获得。然而，作者对此持怀疑态度，认为 hacking 可以像其他技能一样通过学习掌握，并质疑 Lamo 的观点是否过于 elitist。

中国信通院&悬镜安全2025年度重磅硬核成果发布!

当前环境异常导致访问受限,需完成验证后方可继续访问。

A vulnerability classified as critical was found in WP Human Resource Management Plugin up to 2.2.17 on WordPress. Affected by this vulnerability is the function ajax_insert_employee of the component AJAX Handler. The manipulation of the argument role leads to missing authorization. This vulnerability is known as CVE-2025-5953. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in WP Firebase Push Notification Plugin up to 1.2.0 on WordPress. This issue affects the function wfpn_brodcast_notification_message. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2025-5924. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in ProcessingJS Plugin up to 1.2.2 on WordPress. Affected is the function pjs4wp. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-6039. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in WP Shortcodes Plugin Plugin up to 7.4.0 on WordPress. It has been classified as problematic. Affected is an unknown function. The manipulation of the argument data-url leads to cross site scripting. This vulnerability is traded as CVE-2025-5567. It is possible to launch the attack remotely. There is no exploit available.

xCal 是一款 Mac 菜单栏日历工具，支持显示苹果提醒事项、农历节假日、倒数日等功能，并提供简洁优雅的设计和自定义选项。

Сможет ли атомный реактор спасти водородную экономику?

A vulnerability, which was classified as critical, was found in e4jvikwp VikRentCar Car Rental Management System Plugin up to 1.4.3 on WordPress. This affects the function do_updatecar. The manipulation leads to unrestricted upload. This vulnerability is uniquely identified as CVE-2025-5322. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in MintyDocs Extension up to 1.39.x/1.42.x/1.43.1 on Mediawiki. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-53493. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.