Aggregator

A vulnerability was found in Apple watchOS. It has been classified as critical. This affects an unknown part of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. This vulnerability is uniquely identified as CVE-2024-44206. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS. It has been declared as critical. This vulnerability affects unknown code of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. This vulnerability was named CVE-2024-44206. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Биткоин, эфир и ещё три цифровые валюты станут частью национального достояния США.

攻击者通过注入脚本实施多阶段控制，严重威胁Web安全，需立即修复漏洞。

A vulnerability, which was classified as critical, was found in Netscape Communicator 4.06/4.5/4.6/4.51/4.61. This affects an unknown part of the component EMBED Element Handler. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-1999-0685. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

KRBJack This tool can be used to abuse the dangerous ZONE_UPDATE_UNSECURE flag on DNS main domain zone in an Active Directory. This flag when set allows anyone unauthenticated to update, add and remove DNS records anonymously....

The post krbjack: A Kerberos AP-REQ hijacking tool appeared first on Penetration Testing Tools.

A vulnerability was found in Apple Safari. It has been rated as critical. This issue affects some unknown processing of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. The identification of this vulnerability is CVE-2024-44206. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Apple iOS and iPadOS. Affected is an unknown function of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. This vulnerability is traded as CVE-2024-44206. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Apple tvOS. Affected by this vulnerability is an unknown functionality of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. This vulnerability is known as CVE-2024-44206. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Apple visionOS. Affected by this issue is some unknown functionality of the component URL Protocol Handler. The manipulation leads to enforcement of behavioral workflow. This vulnerability is handled as CVE-2024-44206. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in baserCMS up to 5.1.1. This issue affects some unknown processing of the component Blog Posts/Contents List. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-46994. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in baserCMS up to 5.1.1. Affected is an unknown function of the component HTTP 400 Bad Request Handler. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-46995. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in baserCMS up to 5.1.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Blog Posts. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-46996. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

rayder Rayder is a command-line tool designed to simplify the orchestration and execution of workflows. It allows you to define a series of modules in a YAML file, each consisting of commands to be...

The post rayder: A lightweight tool for orchestrating and organizing your command-line workflows appeared first on Penetration Testing Tools.

Frelatage Frelatage is a coverage-based Python fuzzing library which can be used to fuzz python code. The development of Frelatage was inspired by various other fuzzers, including AFL/AFL++, Atheris, and PythonFuzz. The main purpose of the project is...

The post Frelatage: coverage-based Python fuzzing library appeared first on Penetration Testing Tools.

HackerNews 编译，转载请注明出处： 据国际特赦组织的一份新报告，一名 23 岁的塞尔维亚青年活动人士的安卓手机成为 Cellebrite 开发的零日漏洞的目标，该漏洞被用于解锁其设备。 “一名学生抗议者的安卓手机被一个针对安卓 USB 驱动程序的复杂零日漏洞链利用并解锁，该漏洞链由 Cellebrite 开发，” 这家国际非政府组织表示，并补充说该漏洞的痕迹是在 2024 年年中的一起单独案件中发现的。 此次漏洞事件涉及的漏洞是 CVE-2024-53104（CVSS 评分：7.8），这是一个名为 USB 视频类（UVC）驱动程序的内核组件中的提权漏洞。2024 年 12 月，Linux 内核发布了该漏洞的补丁，并于本月早些时候在安卓系统中得到修复。 据悉，CVE-2024-53104 被与其他两个漏洞结合使用——CVE-2024-53197 和 CVE-2024-50302，这两个漏洞已在 Linux 内核中得到解决，但尚未包含在安卓安全公告中。 CVE-2024-53197（CVSS 评分：暂无）：Extigy 和 Mbox 设备的越界访问漏洞 CVE-2024-50302（CVSS 评分：5.5）：一个未初始化资源使用漏洞，可用于泄露内核内存 “该针对 Linux 内核 USB 驱动程序的漏洞利用使 Cellebrite 的客户能够在拥有物理访问权限的情况下，绕过安卓手机的锁屏并获得设备的特权访问权限，” 国际特赦组织表示。 “此案例突显了现实世界中的攻击者如何利用安卓的 USB 攻击面，利用 Linux 内核中支持的广泛传统 USB 内核驱动程序。” 这名活动人士化名为 “Vedran”，以保护其隐私。2024 年 12 月 25 日，他参加了一场在贝尔格莱德的学生抗议活动后，被带往警察局，手机被没收。 国际特赦组织的分析发现，该漏洞被用于解锁他的三星 Galaxy A32 手机，当局试图安装一个未知的安卓应用程序。尽管该安卓应用程序的确切性质尚不清楚，但其操作方式与 2024 年 12 月中旬报告的 NoviSpy 间谍软件感染一致。 本周早些时候，Cellebrite 表示，其工具并非旨在促进任何类型的进攻性网络活动，并且公司积极遏制其技术的滥用。 这家以色列公司还表示，将不再允许塞尔维亚使用其软件，称 “我们认为此时停止相关客户使用我们的产品是合适的。”   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

HackerNews 编译，转载请注明出处： Firefox 浏览器制造商 Mozilla 在上周五一周内第二次更新其使用条款，此前因条款中出现的宽泛语言似乎赋予该公司对用户上传所有信息的权利而受到批评。 修订后的使用条款现声明： 您授予 Mozilla 运行 Firefox 所需的权利。这包括按照 Firefox 隐私声明中所述处理您的数据。这也包括为了按照您在 Firefox 中输入内容的请求而授予的非独占、免版税、全球范围的许可。但这并不授予 Mozilla 对该内容的所有权。 此前，该条款于 2 月 26 日生效的版本声明： 当您通过 Firefox 上传或输入信息时，您在此授予我们非独占、免版税、全球范围的许可，以使用该信息帮助您按照您使用 Firefox 的方式浏览、体验和互动在线内容。 此举发生在该公司首次推出 Firefox 使用条款以及更新隐私声明几天之后，后者旨在让用户更清楚地了解其数据处理方式。 Mozilla 产品副总裁阿吉特・瓦尔马在一份声明中表示：“我们一直在倾听我们社区对使用条款某些部分的担忧，特别是关于许可的问题。我们的初衷只是尽可能清楚地说明我们如何让 Firefox 正常运行，但在这样做的过程中，我们也造成了一些困惑和担忧。” Mozilla 强调，它不会出售或购买用户数据，并且之所以做出这些更改，是因为某些司法管辖区对 “出售” 一词的定义比其他地区更广泛，涵盖了消费者个人信息与另一方交换金钱或其他利益的各种方式。 此外，Mozilla 指出，它已经收集并与合作伙伴共享一些数据，这些数据来自新标签页上的可选广告以及搜索栏中的赞助建议，以此保持 “商业可行性”。 Mozilla 还指出，虽然它不会访问用户通过侧边栏（以及通过快捷方式）启用的第三方人工智能（AI）聊天机器人的对话，但它确实收集有关此功能使用情况的技术和互动数据，以帮助改进 Firefox 浏览器。 这包括每个第三方聊天机器人提供商被选择的频率、建议提示被使用的频率以及所选文本的长度。 “每当我们与合作伙伴共享数据时，我们会投入大量精力确保我们共享的数据被剥离了潜在的识别信息，或者仅以汇总形式共享，或者通过我们的隐私保护技术（如 OHTTP）进行处理，” 瓦尔马说道。 对 Mozilla 使用条款的反对紧随谷歌新的广告跟踪政策之后，该政策引起了监管机构和监督机构的审查，他们表示这引发了隐私担忧。 于 2025 年 2 月 16 日生效的广告平台计划政策允许使用 IP 地址对用户进行指纹识别，并在无需重新识别的情况下跨平台追踪用户。英国信息专员办公室（ICO）称其为 “不负责任” 的改变。 ICO 在一份声明中表示：“寻求部署指纹识别技术用于广告的组织需要证明他们如何遵守数据保护法的要求。这些要求包括向用户提供透明度、确保自由给予的同意、确保公平处理以及维护诸如擦除权之类的信息权利。”   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

近日，以“洞见未来”为主题的山石网科2025新春媒体会暨DeepSeek大模型应用一体机发布会在北京圆满落幕。 […]

新闻速览 •工信部CSTIS提醒：防范ValleyRAT恶意软件新变种风险 •新型nRootTag攻击曝光，1 […]

随着人工智能技术的不断发展，近期，以DeepSeek为代表的国产大模型部署数量呈指数级增长，拥有特色数据的企事 […]