Aggregator

供应链风险情报预警！悬镜供应链安全情报中心在NPM官方仓库中捕获一起针对NodeJS开发者开展远控攻击的组件投毒事件。

供应链风险情报预警！悬镜供应链安全情报中心在NPM官方仓库中捕获一起针对NodeJS开发者开展远控攻击的组件投毒事件。

供应链风险情报预警！悬镜供应链安全情报中心在NPM官方仓库中捕获一起针对NodeJS开发者开展远控攻击的组件投毒事件。

SBOM情报概述Summary上周（2024.01.08），悬镜供应链安全情报中心在NPM官方仓库（www.npmjs.com）中捕获一起针对NodeJS开发者开展远控攻击的组件投毒事件。投毒者在连续

A vulnerability was found in WuKongOpenSource WukongCRM 72crm_9.0.1_20191202. It has been declared as critical. Affected by this vulnerability is the function parseObject of the component fastjson. The manipulation leads to deserialization. This vulnerability is known as CVE-2024-23052. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in http-swagger up to 1.2.5. It has been classified as problematic. This affects an unknown part of the component HTTP PUT Method Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-25712. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in ThemeIsle Orbit Fox Plugin up to 2.10.30 on WordPress. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-1323. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Vyper up to 0.3.10. It has been rated as critical. This issue affects the function _abi_decode. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2024-26149. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Yuki Plugin up to 1.3.13 on WordPress. It has been declared as critical. This vulnerability affects unknown code of the component Theme Setting Handler. The manipulation leads to missing authorization. This vulnerability was named CVE-2024-1388. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in Seraphinite Accelerator Plugin up to 2.20.52 on WordPress. Affected is the function OnAdminApi_HtmlCheck. The manipulation leads to server-side request forgery. This vulnerability is traded as CVE-2024-1568. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability was found in F-logic DataCube3 1.0. It has been rated as critical. This issue affects some unknown processing of the component Filename Extension Handler. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2024-25832. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as problematic, has been found in Axiomatic Bento4 1.5.1-628. Affected by this issue is the function AP4_Movie::AP4_Movie of the component MP4 File Handler. The manipulation leads to denial of service. This vulnerability is handled as CVE-2024-24155. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability classified as problematic has been found in Couchbase Server up to 7.2.3. This affects an unknown part of the file goxdcr.log. The manipulation leads to sensitive information in log files. This vulnerability is uniquely identified as CVE-2024-23302. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Apache Xerces C++ up to 3.2.2. This issue affects some unknown processing of the component External DTD Scanning. The manipulation leads to use after free. The identification of this vulnerability is CVE-2024-23807. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 一款在一百多万个WordPress网站上安装的W3 Total Cache插件存在严重漏洞，可能使攻击者获取包括云端应用元数据在内的多种信息。 W3 Total Cache插件采用多种缓存技术，旨在优化网站速度、减少加载时间并提升SEO排名。 尽管开发者已在最新版本中发布了修复程序，但该漏洞（CVE-2024-12365）仍未被数十万网站所安装的版本所修复。 Wordfence指出，该安全问题源于直至最新版本2.8.2的所有版本中，“is_w3tc_admin_page”函数缺少功能检查。这一缺陷使得攻击者可访问插件的安全nonce值并执行未授权操作。 若攻击者已通过身份验证并至少拥有订阅者级别的权限（这一条件极易满足），则可能利用该漏洞。 CVE-2024-12365漏洞被利用的主要风险包括： 服务器端请求伪造（SSRF）：发出可能暴露敏感数据的网络请求，包括云端应用的实例元数据 信息泄露 服务滥用：消耗缓存服务限额，影响网站性能并可能增加成本 就该漏洞的实际影响而言，攻击者可利用网站基础设施向其他服务发出代理请求，并利用收集到的信息发动进一步攻击。 受影响用户应采取的最佳行动是升级到W3 Total Cache的最新版本2.8.2，该版本已修复此漏洞。 根据wordpress.org的下载统计数据显示，开发者发布最新更新后，约有15万个网站安装了该插件，仍有数十万个WordPress网站存在漏洞风险。 一般建议网站所有者避免安装过多插件，并弃用非必需产品。 此外，部署Web应用防火墙也大有裨益，因为它可以识别和阻止利用尝试。   消息来源：Bleeping Computer, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

error code: 521

[This is a Guest Diary by Alex Sanders, an ISC intern as part of the SANS.edu BACS program]Introd

#系统资讯 微软开始在 Windows 11 中测试新版管理员保护功能，当你同事准备在你电脑上安装大数字浏览器时就会被拦截。管理员保护类似 macOS 的敏感操作验证，安装 / 卸载软

Table of LinksAbstract and 1 Introduction2 Background3 On the slow growth law4 Members of Deep Π