Aggregator

A vulnerability, which was classified as problematic, has been found in Apple watchOS. Affected by this vulnerability is an unknown functionality of the component Web Handler. This manipulation causes information disclosure. The identification of this vulnerability is CVE-2025-43227. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Apple iOS and iPadOS. Affected by this issue is some unknown functionality of the component Web Handler. Such manipulation leads to information disclosure. This vulnerability is referenced as CVE-2025-43227. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

A vulnerability described as problematic has been identified in Apple macOS. This affects an unknown function of the component Web Handler. Executing manipulation can lead to information disclosure. This vulnerability is handled as CVE-2025-43227. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

作者从互联网行业辞职后赴欧洲留学两年，在经济上完全自给自足，并获得了更广阔的眼界和心态上的提升。最终选择留在当地工作。

微软推出虚拟机转换程序，可快速将VMware虚拟机迁移到Hyper-V，适用于企业IT管理员。该程序以扩展形式安装于Windows Admin Center，支持多台虚拟机同时迁移，并保留所有数据。

背景

笔者在2016年11月发现并报告了HP Support Assistant (HPSA) 的权限提升漏洞，HP Product Security Response Team (HP PSRT) 响应迅速，但却以此漏洞可以通过软件的自动更新功能自动修复为由拒绝为其发布安全公告和CVE。4月份想起这件事后，笔者又分析了一遍修补后的HPSA，发现HP的开发人员在修补中犯了更为低级的错误，导致补丁可以被绕过重新实现权限提升。在随后与HP PSRT的沟通与合作中，再一次利用其它技巧绕过了其后续修补，最终笔者协助HP PSRT完成了漏洞的修补。

本文将分析此漏洞的成因及多次补丁绕过，希望能以此为案例提高开发人员对安全的认识和理解，以减少由于对所用技术理解不到位和安全编程意识匮乏而导致的安全漏洞。

2025年度警务融合计算四川省重点实验室开放课题公告

Farmers' Breach Affects 1.1 Million; Aflac Is Still Counting Victims
Two major U.S.-based insurers - Farmers Insurance and Aflac Inc. - have each reported to regulators data breaches involving two recent separate cyberattacks. The breaches follow a spring and summer spree of data exfiltration incidents that hit multiple large players in the insurance sector.

Nevada Grappling with Statewide IT Disruption, Forcing Suspension of Services
Nevada officials are investigating a network security breach that forced state offices to suspend services and knocked key systems offline, including websites and phone lines, though emergency services remain active and no data exposure has been confirmed.

One Prompt Was Enough for AI Agent to Buy, Click and Expose Sensitive Data
AI agents that shop and surf the web on behalf of users are suckers for scams, find security researchers who sicced a fake online story, a phishing email and a fake captcha on Perplexity's AI-powered web browser Comet. The AI's logic was not designed to weigh credibility or risk.

Physical Security Firm Eyes Insider Risk, Federal Growth and AI-Powered Automation
Ontic has raised $230 million in Series C funding to expand its connected intelligence platform and pursue new federal and international markets. The Austin, Texas-based company will invest in AI, integrations and data to strengthen cyber-physical threat detection and automation.

#安全资讯 Docker Desktop 出现重大安全漏洞，恶意容器可以绕过安全防御直接访问宿主机的文件系统，甚至可以完全控制宿主机。目前该漏洞已经在 v4.44.3 版中修复，Win

Sarah Rose Giddings 正在开发多个基于无线电和 SDR 的 Android 项目，包括卫星追踪器、NTSC 发射器、文件共享工具及 Benshi 无线电控制应用，并通过 GitHub 开源代码。她在直播中更新了进展并邀请用户参与 Play Store 测试。

A vulnerability was found in azu request-filtering-agent up to 1.x. It has been declared as critical. This vulnerability affects unknown code. The manipulation results in server-side request forgery. This vulnerability is known as CVE-2025-57814. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in TP-Link KP303 Smartplug up to 1.0.x. It has been classified as critical. This affects an unknown part. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2025-8627. Access to the local network is required for this attack to succeed. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability was found in The-Scratch-Channel tsc-web-client up to 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the component POST Request Handler. Executing manipulation can lead to improper input validation. This vulnerability appears as CVE-2025-57805. The attack may be performed from a remote location. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability has been found in GitHub Enterprise Server up to 3.14.16/3.15.11/3.16.7/3.17.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Compare/Diff. Performing manipulation results in authorization bypass. This vulnerability is reported as CVE-2025-8447. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

A vulnerability, which was classified as problematic, was found in mlc-ai xgrammar up to 0.1.20. Affected is an unknown function. Such manipulation leads to uncontrolled recursion. This vulnerability is documented as CVE-2025-57809. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in python-hyper h2 up to 4.2.x. This impacts an unknown function of the component HTTP2 Handler. This manipulation causes crlf injection. This vulnerability is registered as CVE-2025-57804. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

error code: 521