Aggregator

A vulnerability has been found in Google Chrome and classified as critical. Affected by this vulnerability is an unknown functionality of the component Service Worker API. The manipulation leads to out-of-bounds read. This vulnerability is known as CVE-2023-2133. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Chrome and classified as critical. Affected by this issue is some unknown functionality of the component Service Worker API. The manipulation leads to out-of-bounds read. This vulnerability is handled as CVE-2023-2134. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

钓鱼木马攻击事件日趋严重，

钓鱼木马攻击事件日趋严重，

A vulnerability, which was classified as problematic, was found in ManageEngine Netflow Analyzer 7.5. This affects an unknown part of the file jspui/index.jsp. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2009-3903. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in e-Courier CMS wizard_oe2.asp and classified as problematic. This issue affects some unknown processing of the file Wizard_tracking.asp. The manipulation of the argument UserGUID leads to cross site scripting. The identification of this vulnerability is CVE-2009-3905. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in CubeCart 4.3.4 and classified as critical. This vulnerability affects unknown code. The manipulation leads to improper access controls. This vulnerability was named CVE-2009-3904. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical has been found in ZNC 0.056/0.058/0.062. Affected is an unknown function of the file znc.conf of the component Configuration File. The manipulation leads to code injection. This vulnerability is traded as CVE-2009-0759. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in QIP 2005. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Rich Text Format. The manipulation leads to improper resource management. This vulnerability is known as CVE-2009-0769. The attack can be launched remotely. Furthermore, there is an exploit available.

孩子可以练习表达、锻炼想象力，估计还可以去幼儿园、小学里给小伙伴们讲故事。

孩子可以练习表达、锻炼想象力，估计还可以去幼儿园、小学里给小伙伴们讲故事。

A vulnerability was found in Google Chrome. It has been declared as critical. This vulnerability affects unknown code of the component Skia. The manipulation leads to integer overflow. This vulnerability was named CVE-2023-2136. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Chrome. It has been classified as critical. This affects an unknown part of the component DevTools. The manipulation leads to use after free. This vulnerability is uniquely identified as CVE-2023-2135. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in sqlparse up to 0.4.3 on Python. Affected by this vulnerability is an unknown functionality. The manipulation leads to inefficient regular expression complexity. This vulnerability is known as CVE-2023-30608. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in WP Custom Author URL Plugin up to 1.0.4 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2023-1614. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Clock In Portal Plugin up to 2.1 on WordPress. Affected by this issue is some unknown functionality of the component Staff Deletion Handler. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2023-0761. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Google Chrome. It has been rated as critical. This issue affects some unknown processing of the component SQLite. The manipulation leads to heap-based buffer overflow. The identification of this vulnerability is CVE-2023-2137. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in ImageMagick up to 6.8.8-4. It has been classified as critical. This affects the function DecodePSDPixels of the file coders/psd.c of the component PSD Image Handler. The manipulation leads to buffer overflow. This vulnerability is uniquely identified as CVE-2014-1958. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in kalcaddle KodExplorer up to 4.49. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2022-4944. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 当世界仍在为教皇方济各的逝世哀悼时，网络犯罪分子已通过伪造哀悼信息、诈骗链接和数据窃取手段将全球悲痛转化为牟利工具。 在教皇逝世消息公布后的数小时内，诈骗者便如机械般精准地利用公众震惊情绪展开行动。这种模式并不新鲜——从英国女王伊丽莎白二世去世、土耳其-叙利亚地震到COVID-19大流行，每当全球陷入悲痛，黑客就会抛出数字诱饵。 情绪化时刻创造了完美攻击窗口：人们紧盯屏幕寻求信息，戒心远低于平常。此时正是陷阱布设之时。AI生成的虚假图片（2025年2月首次传播）重新出现在各大网站和社交媒体，链接指向伪装成新闻站的恶意页面。 TikTok、Instagram和Facebook等平台充斥着AI生成的图片，部分声称展示教皇未公开影像或悼念内容，其逼真程度足以欺骗普通用户。人们点击、搜索——这正是攻击者所求。 网络安全公司Check Point研究人员指出，每逢重大事件，钓鱼攻击和恶意软件活动就会激增。近期某诈骗案例将用户从伪造的“教皇逝世突发新闻”站重定向至虚假Google页面，以赠送礼品卡为名索要信用卡信息。 另一危险手法是SEO投毒：攻击者购买谷歌搜索结果前排位置，将含恶意脚本的网站混入正规新闻链接。当用户搜索“教皇逝世最新动态”并点击看似正常的链接时，就会进入恶意网站。研究人员称，页面加载瞬间即触发后台脚本，无需额外点击即可窃取设备名称、操作系统、地理位置和语言设置。 这种方式使诈骗者能构建受害者画像，用于后续精准钓鱼攻击窃取凭证，或将数据转售暗网。约83%的诈骗域名未出现在安全雷达中，它们多为新注册或长期休眠域名，传统可疑网站检测工具难以识别。 “网络罪犯在混乱与好奇中获利。重大新闻事件总会引发利用公众关注度的诈骗激增，”研究人员写道，“最佳防御是用户意识与分层安全防护的结合。”     消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文