Aggregator

A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. This vulnerability is known as CVE-2024-13903. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

英伟达正在加州圣何塞举办 GPU Technology Conference(GTC)AI 会议，会议期间该公司使用流动餐车不定时向与会者出售你很难在其它地方买到的 RTX 5080 和 5090 高端显卡。GTC 的门票最低超过 1000 美元，但门票并不会让你获得折扣价。就连英伟达手中的 RTX 5000 系列高端显卡也非常有限：总共 2000 张，其中 RTX 5080 和 5090 各一千张。

Submit #517394 / VDB-300571

A vulnerability was found in code-projects Human Resource Management System 1.0.1. It has been classified as problematic. Affected is the function UpdateRecruitmentById of the file \handler\recruitment.go. The manipulation of the argument c leads to cross site scripting. This vulnerability is traded as CVE-2025-2590. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in code-projects Human Resource Management System 1.0.1 and classified as critical. This issue affects the function Index of the file \handler\Account.go. The manipulation of the argument user_cookie leads to improper authorization. The identification of this vulnerability is CVE-2025-2589. The attack needs to be done within the local network. Furthermore, there is an exploit available.

Submit #517344 / VDB-300570

Submit #517343 / VDB-300569

A vulnerability has been found in Hercules Augeas 1.14.1 and classified as problematic. This vulnerability affects the function re_case_expand of the file src/fa.c. The manipulation of the argument re leads to null pointer dereference. This vulnerability was named CVE-2025-2588. Attacking locally is a requirement. Furthermore, there is an exploit available.

网络犯罪分子利用DeepSeek AI的知名度和公信力，创建仿冒域名、应用程序和通信渠道，实施精心设计的网络钓鱼和恶意软件攻击。

A vulnerability, which was classified as critical, was found in Jinher OA C6 1.0. This affects an unknown part of the file IncentivePlanFulfillAppprove.aspx. The manipulation of the argument httpOID leads to sql injection. This vulnerability is uniquely identified as CVE-2025-2587. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Submit #517281 / VDB-300568

海洋哺乳动物可能拥有直接感知其自身血循环中氧含量的能力，帮助它们挺过长时间的潜水，而大多数陆地哺乳动物是没有这种能力的；这种能力使得海洋哺乳动物能够在水下停留较长时间，并在缺氧导致其溺水前再次浮出水面。研究人员对捕获的野生灰海豹（Halichoerus grypus）进行了一项研究：检查变化受控的吸入氧和二氧化碳水平会如何影响它们的潜水行为。结果显示，潜水持续时间与血氧水平密切相关，但却不受 CO₂ 水平或血液 pH 值的影响。据研究结果披露，即使暴露于比环境空气高 200 倍的二氧化碳浓度时，这些海豹的潜水时间也会保持不变。然而改变氧气水平（无论是将环境中的氧气浓度加倍还是减半）都会显著影响海豹在水下停留的时间。研究人员认为，这项研究提供了令人信服的证据：灰海豹具有感受氧气浓度的认知能力，这使得它们能够相应地调节其潜泳时间。此外，鉴于海洋哺乳动物在潜泳相关适应性上广泛存在趋同演化，其他物种很可能也有类似的感知氧气的机制。

A vulnerability, which was classified as critical, has been found in 70mai Dashcam 1S. Affected by this issue is some unknown functionality of the component Pairing. The manipulation leads to improper authentication. This vulnerability is handled as CVE-2025-30112. The attack needs to be approached within the local network. Furthermore, there is an exploit available.

A vulnerability classified as problematic was found in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCentre Plus. Affected by this vulnerability is an unknown functionality of the component Task Feature. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-50053. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

In the face of sudden trade restrictions, sanctions, or policy shifts, relying on SaaS providers outside your region for identity services is a gamble that companies can no longer afford to take. With trade disputes set to escalate, a sudden policy change could result in SaaS providers pulling out of regions or being forced to comply with new regulations that render identity services inaccessible. While software companies have yet to be put in the crosshairs, … More →

The post The hidden risk in SaaS: Why companies need a digital identity exit strategy appeared first on Help Net Security.

Submit #516025 / VDB-300567

开源软件开发平台 SourceHut 创始人兼 CEO Drew DeVault 通过其个人博客抨击 AI 公司不尊重 robosts.txt 而大肆抓取数据导致 SourceHut 服务中断。KDE GitLab 基础设施因被阿里巴巴的 AI 爬虫淹没导致开发者在短时间内无法访问。为了阻止 AI 公司的爬虫抓取数据，GNOME 项目部署了工作量证明工具 Anubis，Anubis 向浏览器展示一个网页，要求浏览器花时间执行数学运算并将结果返回给服务器，如果答案正确，就可以访问该网站。GNOME 系统管理员 Bart Piotrowski 在 Mastodon 上公开了一些数据：两个半小时内收到了 81k 个请求，其中只有 3% 通过了 Anubi 的工作量证明，意味着 97% 的流量来自机器人爬虫，这是一个疯狂的数字。LWN 的主编 Jonathan Corbet 警告，由于 AI 爬虫的 DDoS 攻击，网站可能偶尔会出现访问缓慢的情况，他表示网站访问流量只有很小一部分来自人类读者，AI 爬虫有时会从数百个 IP 地址同时发动相当于 DDoS 攻击 的请求，AI 爬虫唯一不抓取的内容是 robosts.txt。Fedora 项目系统管理员 Kevin Fenzi 因难以区分 AI 爬虫而屏蔽了整个巴西的 IP 地址。Inkscape 项目也面临类似的攻击。AI 爬虫的访问频率非常高，它们每隔几小时就会再次尝试抓取数据。开源项目相比闭源项目受到更大的影响，因为整个项目的基础设施是公开的，它们的资源也更有限。

Submit #521067 / VDB-300566

深度调研软件安全理解行业需求洞源实验室调研活动洞源实验室正在筹划制作《2025年软件安全市场需求报告》

深度调研软件安全理解行业需求洞源实验室调研活动洞源实验室正在筹划制作《2025年软件安全市场需求报告》