Aggregator

A vulnerability classified as critical was found in Mozilla Thunderbird up to 115.5. This vulnerability affects unknown code. The manipulation leads to memory corruption. This vulnerability was named CVE-2023-6864. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

AI炒作加剧安全人才危机，攻击者占优，防御者疲于应对！

A vulnerability was found in Mozilla Firefox up to 115.5. It has been rated as critical. This issue affects the function nsWindow::PickerOpen of the component Headless Mode. The manipulation leads to heap-based buffer overflow. The identification of this vulnerability is CVE-2023-6861. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Mozilla Thunderbird up to 115.5. Affected is the function nsWindow::PickerOpen of the component Headless Mode. The manipulation leads to heap-based buffer overflow. This vulnerability is traded as CVE-2023-6861. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Mozilla Firefox ESR up to 115.5. Affected by this vulnerability is the function nsDNSService::Init of the component Start-Up. The manipulation leads to use after free. This vulnerability is known as CVE-2023-6862. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Mozilla Thunderbird up to 115.5. Affected by this issue is the function nsDNSService::Init of the component Start-Up. The manipulation leads to use after free. This vulnerability is handled as CVE-2023-6862. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Mozilla Firefox up to 115.5. This affects the function ShutdownObserver. The manipulation leads to Remote Code Execution. This vulnerability is uniquely identified as CVE-2023-6863. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Sun OpenSolaris and classified as problematic. Affected by this vulnerability is the function vmem_hash_delete of the component Device Driver. The manipulation leads to improper resource management. This vulnerability is known as CVE-2009-0838. Local access is required to approach this attack. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in IBM Tivoli Storage Manager Hsm 5.5.1.4. It has been classified as very critical. This affects an unknown part. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2009-0869. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Sun Solaris. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to improper resource management. This vulnerability was named CVE-2009-0870. An attack has to be approached locally. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic has been found in Digium Asterisk up to C.2.3. This affects an unknown part. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2009-0871. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Sun OpenSolaris Snv 28. It has been classified as critical. This affects an unknown part. The manipulation leads to race condition. This vulnerability is uniquely identified as CVE-2009-0875. Attacking locally is a requirement. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic has been found in Jaws 0.6.2. Affected is an unknown function of the file magpie_debug.php. The manipulation of the argument rss_url leads to cross site scripting. This vulnerability is traded as CVE-2005-3955. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

见到过一些中小型互联网，自研SCA扫描工具，仅关注了部分高危的漏洞及对应组件检查，若是这样的话，则需要设置安全能力相关的指标，如已纳入治理的漏洞及组件数量； 其次是覆盖率，对产品线的检测覆盖情况，包括：工具支持扫描的语言类型、已经常态化扫描的产品线数量、已经自动化触发扫描的产品线数量； 最后是修复率，安全工程师推动产线修复漏洞或组件的修复率。 还有最基础的不能丢了，关于SCA 工具的基本运营相关要求，比如规则更新、系统更新、可用性问题，在安全团队中容易被忽视。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ SDL是否适合互联网公司？ 如何计算安全评审的覆盖率？ 研发安全管理用哪些工具？ 线上系统变更，不安全提测怎么办？ SDL 58/100问：ATT＆CK与SDL能否混搭使用？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急响应：redis挖矿（防御篇） 应急响应：redis挖矿（攻击篇） 应急响应：redis挖矿（完结篇） 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验

见到过一些中小型互联网，自研SCA扫描工具，仅关注了部分高危的漏洞及对应组件检查，若是这样的话，则需要设置安全能力相关的指标，如已纳入治理的漏洞及组件数量； 其次是覆盖率，对产品线的检测覆盖情况，包括：工具支持扫描的语言类型、已经常态化扫描的产品线数量、已经自动化触发扫描的产品线数量； 最后是修复率，安全工程师推动产线修复漏洞或组件的修复率。 还有最基础的不能丢了，关于SCA 工具的基本运营相关要求，比如规则更新、系统更新、可用性问题，在安全团队中容易被忽视。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ SDL是否适合互联网公司？ 如何计算安全评审的覆盖率？ 研发安全管理用哪些工具？ 线上系统变更，不安全提测怎么办？ SDL 58/100问：ATT＆CK与SDL能否混搭使用？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急响应：redis挖矿（防御篇） 应急响应：redis挖矿（攻击篇） 应急响应：redis挖矿（完结篇） 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验

A vulnerability, which was classified as critical, was found in Apache Commons Text up to 1.9. Affected is an unknown function of the component Variable Interpolation Handler. The manipulation leads to code injection. This vulnerability is traded as CVE-2022-42889. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Mozilla Thunderbird up to 115.5 and classified as critical. This vulnerability affects the function ShutdownObserver. The manipulation leads to Remote Code Execution. This vulnerability was named CVE-2023-6863. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mozilla Firefox up to 120 and classified as critical. This issue affects some unknown processing of the component Typed Array Handler. The manipulation leads to handling of exceptional conditions. The identification of this vulnerability is CVE-2023-6866. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Mozilla Firefox up to 120. This vulnerability affects unknown code of the component TLS Socket Handler. The manipulation leads to use after free. This vulnerability was named CVE-2023-6859. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Mozilla Thunderbird up to 120. This issue affects some unknown processing of the component TLS Socket Handler. The manipulation leads to use after free. The identification of this vulnerability is CVE-2023-6859. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.