Aggregator

A vulnerability, which was classified as problematic, was found in Google Tensorflow up to 2.5.2/2.6.2/2.7.0. This affects the function StringNGrams. The manipulation of the argument pad_witdh leads to resource consumption. This vulnerability is uniquely identified as CVE-2022-21733. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Google Tensorflow up to 2.5.2/2.6.2/2.7.0 and classified as critical. This vulnerability affects the function SparseTensorSliceDataset. The manipulation of the argument nullptr leads to null pointer dereference. This vulnerability was named CVE-2022-21736. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Tensorflow up to 2.5.2/2.6.2/2.7.0 and classified as problematic. This issue affects some unknown processing. The manipulation leads to integer overflow. The identification of this vulnerability is CVE-2022-23567. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Tensorflow up to 2.5.2/2.6.2/2.7.0. It has been classified as problematic. Affected is the function AddManySparseToTensorsMap. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2022-23568. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Google Tensorflow up to 2.5.2/2.6.2/2.7.0. This issue affects some unknown processing. The manipulation of the argument stride leads to divide by zero. The identification of this vulnerability is CVE-2022-21725. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 美国福利与薪资解决方案提供商Kelly Benefits（正式名称为Kelly & Associates Insurance Group）近日披露，其此前公布的数据泄露事件影响范围远超最初估计。 这家总部位于美国的公司为企业提供福利管理、薪资处理及劳动力管理解决方案。 2024年12月12日至17日期间，黑客入侵Kelly Benefits系统并窃取敏感个人数据。该公司最初于2025年4月通报称，事件影响近26.4万人，涉及CareFirst、Guardian、Beam Benefits等客户，泄露数据包括姓名、社保号（SSN）、医疗及财务信息。目前受影响人数已升至413,032人，调查仍在进行中。 根据向缅因州总检察长办公室提交的更新文件，Kelly Benefits于2025年5月2日代表其自身及附录A所列实体，向该州额外135名居民寄送通知信。新增受影响者的潜在泄露信息包括姓名、社保号及财务账户信息。至此，缅因州共有7,164名居民收到事件通知。 Kelly Benefits未透露攻击技术细节，目前尚无勒索软件组织宣称对此次入侵负责。该公司正代表CareFirst、Guardian、Beam Benefits等多个客户向受影响个体发送通知。     消息来源： securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

端午礼盒送不停，更有胶卷相机等超级好礼！

端午礼盒送不停，更有胶卷相机等超级好礼！

HackerNews 编译，转载请注明出处： 欧洲知名求职平台beWanted发生重大数据泄露事件，超110万份求职者简历及敏感信息通过未加密的Google云存储桶（GCS）暴露于公网。网络安全媒体Cybernews研究团队于2023年11月发现该漏洞，但多次联系总部位于西班牙马德里的beWanted公司后，数据仍可公开访问。 泄露数据包含： 全名、电话号码、邮箱及家庭住址 出生日期、国籍及出生地 身份证号码（涉及西班牙、阿根廷、危地马拉、洪都拉斯等多国公民） 社交媒体链接、工作经历及教育背景 研究人员指出，每份文件可能对应一名求职者，此次泄露构成重大安全事件。数据至少暴露六个月，网络犯罪分子可能已利用其发起： 身份盗用：伪造合成身份或欺诈账户 精准钓鱼攻击：诱骗受害者泄露金融账户或敏感数据 社交工程攻击：冒充虚假招聘机构渗透职业网络，传播恶意软件或窃取机密 尽管Cybernews已联系beWanted寻求置评，但截至发稿未获回复。该公司自称“全球最大人才库生态”，通过SaaS模式连接求职者与雇主，在墨西哥、德国及英国设有分支机构。 研究团队提出以下防护措施以缓解风险： 限制公开访问：关闭存储桶公共权限，启用“公开访问预防”功能 实施访问控制：基于最小权限原则，仅向授权用户和服务分配必要权限 监控访问活动：启用云审计日志追踪存储桶访问，配置云监控警报响应可疑行为 启用数据加密：激活服务器端静态数据加密，使用Google云密钥管理服务（KMS） 强制安全传输：要求所有数据传输使用SSL/TLS协议，拦截非安全HTTP连接 采纳最佳实践：定期执行权限与配置安全审计，利用Google云安全指挥中心自动化评估 此次事件再次凸显云存储配置失误的破坏力。求职者需警惕异常招聘邀约，企业应强化云环境安全基线，避免成为下一个受害者。       消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

Hackers Bypass MFA to Steal Australians' Banking Credentials
Melbourne-based ANZ Bank will introduce passwordless authentication for digital banking services amid news that hackers have stolen the banking credentials of tens of thousands of Australians. Cybercriminals used infostealer malware to steal the credentials of more than 30,000 Australians.

Critics Say Public Benefit Corporation Model May Undermine AI Safety and Oversight
OpenAI’s nonprofit parent will retain control as its for-profit subsidiary becomes a public benefit corporation. While the company frames the change as mission-driven, critics fear it may strip the nonprofit of meaningful control and expose AGI development to uncontrolled commercial interests.

Hacker Breaches Government-Approved Messaging App Used by Top Trump Officials
A Signal clone messaging app apparently being used by top advisers to U.S. President Donald Trump abruptly went dark Monday following a reported hacking incident. TeleMessage said it temporarily suspended messaging services "out of an abundance of caution."

Huione Group Helped Criminals Launder Over $4 Billion Worth of Cybercrime Proceeds
The U.S. Department of Treasury set in motion a process to ban a Cambodian company's access to the dollar financial system for running a vast illicit marketplace for cybercrime tools and laundering billions of dollars on behalf of North Korean and other cybercrime groups.

HackerNews 编译，转载请注明出处： 网络安全专家指出，《纽约邮报》（New York Post）经过认证的X平台（原Twitter）账户疑似遭劫持，并被用于针对加密货币爱好者。2025年5月3日，Kerberus创始人兼CEO Alex Katz在X平台分享诈骗活动截图，显示@nypost认证账户被用于发送欺诈私信。 诈骗者冒充《纽约邮报》调查记者，以邀请嘉宾参与播客录制为名发送私信：“我们正在为新一期播客招募嘉宾，诚邀您参与录制。” 收到私信的用户若回复，会立即被对方在X平台拉黑，并被要求通过Telegram联系——此举疑似为避免触发《纽约邮报》团队警报，同时将受害者诱骗至Telegram实施加密货币诈骗。 网络安全公司Drew Security创始人、NFT收藏家Drew进一步分析称，此新型骗局利用用户对过往对话的信任，通过私信而非公开推送欺诈广告或恶意链接实施攻击。部分专家推测，攻击者可能试图利用Zoom等流行平台的安全漏洞安装恶意软件。 目前尚不清楚黑客如何获得账户权限及具体联系人数。《纽约邮报》尚未发布官方声明，Cybernews已联系该媒体寻求置评并将更新回应内容。 安全专家建议用户谨慎处理私信，尤其是要求切换至其他平台的请求——即使信息来自可信账户（因任何账户均可能被入侵）。截至发稿，@nypost账户仍可正常访问，但相关欺诈私信已被删除。     消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as critical has been found in Open Design Alliance Drawings SDK up to 2022.12. This affects an unknown part of the component JPG File Handler. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2022-23095. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in H2 Console. This affects an unknown part of the component JDBC URL Handler. The manipulation leads to argument injection. This vulnerability is uniquely identified as CVE-2022-23221. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in phpMyAdmin up to 5.0/5.1.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Setup. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2022-23808. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in libexpat up to 2.4.3. Affected is the function XML_GetBuffer. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2022-23852. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in GLPI up to 9.5.6. Affected is an unknown function. The manipulation leads to sql injection. This vulnerability is traded as CVE-2022-21720. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Plone Products.ATContentTypes up to 3.0.5. This affects an unknown part. The manipulation leads to open redirect. This vulnerability is uniquely identified as CVE-2022-23599. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.