Aggregator

在Spring中仅需Spring-AOP和aspectjweaver两个包即可挖掘的一条链子，让我们来浅浅学习一下吧

A vulnerability, which was classified as critical, has been found in OsamaTaher Java-springboot-codebase. This issue affects some unknown processing of the file /api/v1/customer/profile-picture. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2024-52302. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

AI readiness in cybersecurity involves more than just possessing the latest tools and technologies; it is a strategic necessity. Many companies could encounter serious repercussions, such as increased volumes of advanced cyber threats, if they fail to exploit AI due to a lack of clear objectives, inadequate data readiness or misalignment with business priorities. Foundational concepts are vital for constructing a robust AI-readiness framework for cybersecurity. These concepts encompass the organization’s technology, data, security, governance … More →

The post Strategic AI readiness for cybersecurity: From hype to reality appeared first on Help Net Security.

A vulnerability has been found in Mozilla Firefox up to 103 and classified as critical. This vulnerability affects unknown code. The manipulation leads to memory corruption. This vulnerability was named CVE-2022-38478. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mozilla Thunderbird up to 102.1. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2022-38477. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Mozilla Thunderbird up to 102.1. This affects an unknown part. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2022-38478. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Univention UCS 5.0. It has been declared as critical. This vulnerability affects the function check_univention_joinstatus. The manipulation leads to exposure of resource. This vulnerability was named CVE-2023-38994. The attack needs to be approached locally. There is no exploit available.

A vulnerability classified as problematic has been found in Delta Electronics InfraSuite Device Master up to 1.0.7. This affects an unknown part of the component UDP Packet Handler. The manipulation leads to path traversal: '.../...//'. This vulnerability is uniquely identified as CVE-2023-47279. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in LiveConfig up to 2.5.1. It has been classified as critical. This affects an unknown part of the file /static/ of the component Request Handler. The manipulation leads to path traversal. This vulnerability is uniquely identified as CVE-2024-22851. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Joel Starnes postMash Plugin up to 1.2.0 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-27196. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in PayU India Plugin up to 3.8.2 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-27193. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in Veribo & Roland Murg WP Simple Booking Calendar Plugin up to 2.0.8.4 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2023-51525. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Klarna Payments for WooCommerce Plugin up to 3.2.4 on WordPress. Affected is an unknown function. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2024-30477. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in Averta Shortcodes and Extra Features for Phlox Theme up to 2.15.5 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authorization. This vulnerability is known as CVE-2024-31099. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Brice Capobianco Simple Revisions Delete Plugin up to 1.5.3 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2024-30482. The attack may be launched remotely. There is no exploit available.

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to

MITRE’s Attack Flow project aims to translate complex cyber operations into a structured language. By describing how adversaries sequence and combine offensive techniques to reach their objectives, Attack Flow offers defenders, analysts, and decision-makers a tool to see the bigger picture. Threat intelligence Cyber threat intel (CTI) teams can use Attack Flow to show how attackers behave, not just what tools they use. It tracks activity across incidents, campaigns, or threat groups. Because it’s machine-readable, … More →

The post Attack Flow: Learn how cyber adversaries combine and sequence offensive techniques appeared first on Help Net Security.

Axing Security Clearance Will Undermine Talent Pipeline, Chill Vendor Collaboration
Trump’s executive order revoking security clearances from SentinelOne over its hiring of former CISA head Chris Krebs is fueling fear in the cybersecurity sector. Experts warn the decision could hinder cybersecurity talent recruitment and public-private partnerships essential to national defense.

Threat Actors Deploy Obfuscation Tactics to Targets Windows Machines
Likely Chinese nation-state hackers are targeting European companies using previously unseen malware backdoor variants with advanced network tunneling and evasion capabilities for data theft. Brussels-based security firm Nviso links the campaign to a threat actor tracked as UNC5221.

Ransomware Gang Qilin Claims to Have 42GB of Practice's Stolen Data
Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers.