Aggregator

“2024中国数据安全企业全景图&典型安全产品案例集”即将正式对外发布。

SP 800-63-4 знаменует новую эру стандартов цифровой идентификации.

A vulnerability has been found in jpress up to 5.1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/template/edit of the component Template Module Handler. The manipulation leads to path traversal. This vulnerability is known as CVE-2024-8304. The attack can be launched remotely. Furthermore, there is an exploit available.

近日，谷歌公司宣布通过其漏洞奖励计划报告的Google Chrome单一漏洞的最高奖励金额已超过25万美元。 从8月28日起，谷歌将根据研究人员报告的漏洞质量来对内存损坏漏洞加以区分。奖励金额将从展示Chrome内存损坏和堆栈跟踪的基线报告显著提升至通过功能性漏洞展示远程代码执行的高质量报告。 Chrome 安全工程师 Amy Ressler 表示：现在是时候改进 Chrome VRP 奖励和金额了，以便为向我们报告漏洞的安全研究人员提供改进的结构和更明确的期望，并激励对 Chrome 漏洞进行高质量报告和更深入的研究，探索它们的全部影响和可利用潜力。 对于在非沙盒过程中展示远程代码执行（RCE）的单一问题，最高奖励金额可达25万美元。如果这种RCE能够在不损害渲染器的情况下实现，奖励金额甚至可能更高。 此外，谷歌还将MiraclePtr绕过奖励的金额增加了一倍多，从10万美元提升至25万美元。 Google 还会根据漏洞的质量、影响和对 Chrome 用户的潜在危害，将其他类别的漏洞报告归类为以下类别并给予奖励： 影响较小：可利用的可能性低、利用的先决条件重要、攻击者控制力低、用户危害风险/可能性低 中等影响：利用的先决条件中等，攻击者控制程度一般 高影响：可利用性的直接路径、可证明和重大的用户危害、远程可利用性、利用前提条件低 Ressler 表示：当所有报告包含适用的特征时，它们仍然有资格获得奖金奖励。我们将继续探索更多的实验性奖励机会，类似于之前的全链漏洞利用奖励，并以更好地服务于安全社区的方式发展我们的计划。没有证明安全影响或潜在用户伤害的报告，或者纯粹是理论或推测问题的报告，不太可能有资格获得 VRP 奖励。 本月早些时候，谷歌还宣布，由于可操作漏洞报告数量的减少，其Play安全奖励计划将在8月31日关闭新报告的提交。 7月，谷歌启动了kvmCTF，这是一个新的漏洞奖励计划，旨在提高基于内核的虚拟机（KVM）管理程序的安全性，为完整的VM逃逸漏洞提供高达25万美元的奖励。 自2010年推出漏洞奖励计划以来，谷歌已向报告超过1.5万名漏洞安全研究人员支付了超过5000万美元的奖励。   转自FreeBuf，原文链接：https://www.freebuf.com/news/409700.html 封面来源于网络，如有侵权请联系删除

error code: 521

A vulnerability, which was classified as problematic, was found in Gutentor Plugin up to 3.3.5 on WordPress. Affected is an unknown function of the component Block Option Handler. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-5417. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Page Builder Gutenberg Blocks Plugin up to 3.1.12 on WordPress. This issue affects some unknown processing of the component Block Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-7132. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Viral Signup Plugin up to 2.1 on WordPress. This vulnerability affects unknown code of the component Setting Handler. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-6927. The attack can be initiated remotely. There is no exploit available.

Submit #396425 / VDB-276079

A vulnerability classified as critical has been found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. This affects an unknown part of the file /ajax/getBasicInfo.php. The manipulation of the argument username leads to sql injection. This vulnerability is uniquely identified as CVE-2024-8303. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

A vulnerability was found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax/chpwd.php. The manipulation of the argument username leads to sql injection. This vulnerability is handled as CVE-2024-8302. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

A vulnerability was found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax/checkin.php. The manipulation of the argument username leads to sql injection. This vulnerability is known as CVE-2024-8301. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

In Litouwen werd weer volop geoefend. Zoals het afvoeren van gewond geraakte infanteristen na een drone-aanval. Een overzicht van Defensieoperaties in de week van 21 tot en met 27 augustus 2024. Dit is vanwege de storing later gepubliceerd.

Мессенджер может столкнуться с санкциями за нарушение европейских правил.

8月27日，外媒BleepingComputer报道，黑客组织Volt Typhoon（伏特台风）利用Versa Director零日漏洞上传自定义Webshell，窃取凭据并破坏美国公司网络。

一种名为 Styx Stealer 的新网络安全威胁已经出现。

与韩国有关的网络间谍组织APT-C-60利用金山WPS Office软件中的一个关键远程代码执行漏洞（CVE-2024-7262），CVSS评分为9.3，部署了名为SpyGlace的独特后门。

8月27日，外媒BleepingComputer报道，黑客组织Volt Typhoon（伏特台风）利用Versa Director零日漏洞上传自定义Webshell，窃取凭据并破坏美国公司网络。本周周

一种名为 Styx Stealer 的新网络安全威胁已经出现。它可以在使用频繁网络浏览器中窃取敏感数据（例如已保存的密码、cookie 和自动填充信息）来锁定用户。该恶意软件影响涉及到 Chromiu