Aggregator

Submit #567592 / VDB-199611

A vulnerability has been found in Grafana and classified as problematic. This vulnerability affects unknown code of the component Custom Frontend Plugin. The manipulation leads to cross site scripting. This vulnerability was named CVE-2025-4123. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Eventin Plugin up to 4.0.26 on WordPress. This affects the function import_items. The manipulation leads to missing authorization. This vulnerability is uniquely identified as CVE-2025-47539. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in TicketBAI Facturas para WooCommerce Plugin up to 3.18 on WordPress. Affected by this issue is some unknown functionality of the file wp-config.php. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-4564. The attack may be launched remotely. There is no exploit available.

CVE-2024-45436是一个在Ollama软件0.1.47版本之前存在的路径遍历漏洞。该漏洞允许攻击者利用特制的ZIP文件，将文件解压到系统的任意位置，从而可以访问或覆盖系统文件，最终可能导致远程代码执行。

A newly discovered malicious Python package, solana-token, has been weaponized to steal source code and sensitive secrets from developers working on Solana blockchain applications. Uploaded to the Python Package Index (PyPI), the module masqueraded as a legitimate utility for Solana-based projects but harbored code designed to exfiltrate critical data to a remote server. ReversingLabs researchers […]

The post New Weaponized PyPI Package Attacking Developers to Steal Source Code appeared first on Cyber Security News.

安全研究员报告，网名 Machine1337 的黑客正在暗网论坛出售包含 8900 万条 Steam 用户记录的数据库。Valve 官网发表声明，称它检查了泄漏的样本，确认不是来自 Steam 系统。黑客出售的数据库主要是 Steam 用户二步验证短信的旧日志。Valve 称短信在传输过程中是不加密的，在发送到手机过程中会路由经过多个服务提供商，因此确定数据来源有点复杂。泄漏的数据没有将手机号码与 Steam 帐户、密码信息、支付信息或其他个人数据关联起来，因此无法用于入侵用户的账号。用户无需为此更改密码或手机号码。

人工智能技术正以前所未有的速度重塑网络安全领域。作为自然语言处理领域的革命性成果，ChatGPT既为安全防御体系注入新动能，也为网络攻击者提供了新型武器库。

5月13日，该系列课程第五站落地广州市工贸技师学院。活动现场通过“理论精讲+卡牌推演教学”的模式开展教学。

Enterprises should extend deepfake-awareness training and mitigation techniques beyond C-suite executives to address the increasingly likely threat against other roles in the company. 

The post The Growing and Changing Threat of Deepfake Attacks appeared first on Security Boulevard.

讨论了人工智能（AI）在网络安全领域的应用。它涵盖了安全领域的 AI 方法论基础，例如解释性 AI 的挑战和知识发现框架中的安全考虑。内容还包括 AI 在关键基础设施保护中的应用，特别是网络物理系统、中小企业和物流的安全，以及智能电网和移动网络。最后，选集深入探讨了异常检测方法，重点介绍了日志数据中的机器学习技术以及如何使用 AI 检测网络应用程序中的 DAST 攻击。 欢迎收听。今天我们来深入聊人工智能——也就是 AI 在安全这个领域到底是怎样应用的。我们手头有不少资料，主要来自一本叫 《Artificial Intelligence for Security》 的书，里面谈到方法、关键基础设施保护，以及异常检测等等。AI 既可以是保护我们的盾牌，也可能成为新的攻击点。所以今天想帮你梳理一下，让你快速抓住 AI 在安全工坊里扮演什么角色，又面临哪些挑战。准备好了吗？我们这就开始。 ⸻ AI 作为“盾牌”的优势 AI 在提高安全防护能力上的潜力确实不小。书里提到，可以用像 DeepLock 这样的模型去分析系统日志，看是否存在不对劲的行为；也可以用它来保护智能电网、移动网络等复杂系统——也就是所谓的网络物理系统（CPS）。AI 处理大数据的能力很强，能发现人或传统方法难以发现的模式。 ⸻ AI 自身的弱点：对抗性攻击 像所有强大工具一样，AI 自身也有弱点。一个特别突出的就是所谓的对抗性攻击：攻击者只需稍微改动一点输入数据（比如在图片上加人眼几乎看不出的噪点，或对网络信号动手脚）就可能让模型做出完全错误的判断。书里提到的 CW 攻击（Carlini‑Wagner 攻击）就是典型例子——用最小改动让模型把输入误判成攻击者想要的目标。这暴露出许多深度学习模型在鲁棒性上的不足：抵抗干扰或未见过数据的能力较弱。 除了欺骗输入，AI 系统还可能遭遇数据投毒（在训练数据里掺假）或被植入后门，这些都会直接影响模型的准确性和可靠性。 ⸻ 技术之外：人的专业知识不可或缺 资料反复强调，如果脱离人的专业知识，光靠数据科学可能会失之毫厘、谬以千里。数据科学家必须与懂安全场景的领域专家紧密合作，避免出现“测试集分高、实际环境没用”的情况。 ⸻ 可解释性（XAI） 很多 AI 模型像黑箱：只知道输入和输出，不清楚中间如何推理。在金融、医疗和安全等高风险领域，无法接受“说不清理由”的判断。只有弄明白“为什么”才能谈信任和有效实用。 ⸻ 数据准备与隐私 数据准备（尤其是清洗和匿名化）非常重要，却常被忽视。例如 K‑匿名化出发点虽好，但研究发现它有时会严重扭曲数据，导致训练出的模型效果变差，甚至结果难以预测。要在隐私与效用之间权衡。另外，AI 还可能带来偏见（bias）：如果训练数据本身包含现实歧视信息，模型可能放大这种偏见；算法目标设计不当也会埋下隐患。 ⸻ 中小企业的应用性 中小企业资源有限，通常没有专业安全团队，因此工具必须足够简单好用。书里提出 AISUI（人工智能安全工具可用性指数） 来评估工具对非专业用户的友好度；同时 Zero Trust Model（ZTM） 被认为是适合中小企业的思路：默认任何人都不可信，进入系统都需验证身份。 ⸻ 物流行业的新挑战 物流安全面临 IT、OT 和 AI/ML 融合带来的新风险。MITRE 提出 ATLAS 框架，试图分类针对机器学习系统的攻击。但现实看，目前主要威胁仍是勒索软件针对运输与物流 OT 系统。专门针对机器学习组件的攻击（如干扰预测性维护算法或路线优化 AI）理论上可行，但实际案例不多，相关标准也未完善。 ⸻ 差分隐私（Differential Privacy） 差分隐私是一项重要的隐私保护技术：在查询数据时加入数学上精确计算的噪声，让你既能得到有用统计信息，又难以反推出具体个人信息。挑战在于如何准确衡量“保护了多少”。现在指标众多，还没有统一公认的评估方法；在 AI 场景下，还需结合具体攻击模型（如成员推断攻击）进行综合评估。 ⸻ 小结 人工智能为安全领域带来强大的新工具和能力，但也带来新的复杂性和脆弱点，是把双刃剑。想用好这把剑，一方面要提升模型自身的鲁棒性，并让它可解释、可理解；另一方面要重视数据质量和相关伦理规范，最重要的是永远不能脱离人的专业知识和判断。技术最终要服务于人，并且始终在人的掌控之下。 ⸻ 留给你的思考 未来当 AI 在安全决策中扮演的角色越来越重时，人类应如何与这些愈发智能的系统建立真正有效的信任与协作关系？光看技术指标就够吗？还是需要探索更深层次的人机交互模式或新的治理方法，确保 AI 真正安全可靠地帮助我们？

The Linux ecosystem, long celebrated for its open-source ethos and robust security architecture, faces an escalating threat landscape dominated by sophisticated supply chain attacks. Recent incidents, including the near-catastrophic XZ Utils backdoor, malicious Go modules delivering disk-wiping payloads, and compromised PyPI packages, highlight systemic vulnerabilities in software distribution networks. As attackers increasingly exploit trust in […]

The post Linux Security Essentials – Protecting Servers from Supply Chain Attacks appeared first on Cyber Security News.

A vulnerability classified as critical was found in WP Experts File Manager Advanced Shortcode Plugin up to 2.5.4/2.5.6 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2024-13914. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in realme GT 5.0. Affected is an unknown function of the component Setting Handler. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-25370. It is possible to launch the attack on the physical device. There is no exploit available.

A vulnerability was found in MutonUfoAI pGina.Fork up to 3.9.9.12. It has been rated as critical. This issue affects some unknown processing of the component HttpAuth Plugin. The manipulation leads to authentication bypass by spoofing. The identification of this vulnerability is CVE-2025-48027. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in DingTalk Plugin up to 2.7.3 on Jenkins. It has been declared as problematic. This vulnerability affects unknown code of the component TLS Certificate Handler. The manipulation leads to certificate with host mismatch. This vulnerability was named CVE-2025-47888. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Cadence vManager Plugin up to 4.0.1-286.v9e25a_740b_a_48 on Jenkins. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2025-47886. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Health Advisor by CloudBees Plugin up to 358.v58972d19b_1f0/374.v194b_d4f0c8c8 on Jenkins and classified as problematic. Affected by this issue is some unknown functionality of the component Health Advisor Server Response Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2025-47885. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders. How do you measure progress when it comes to building a cybersecurity culture in a science-driven organization? Science, exploration, and innovation are at the heart of our organizational DNA. However, no one is immune to making mistakes—anyone, regardless of … More →

The post Building cybersecurity culture in science-driven organizations appeared first on Help Net Security.

OpenSSL Projectより、OpenSSL Security Advisory [8th September 2023]（POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)）が公開されました。