Aggregator

A vulnerability was found in ZZCMS 2022. It has been classified as problematic. Affected is an unknown function of the file /one/siteinfo.php of the component GET Request Handler. The manipulation leads to path traversal. This vulnerability is traded as CVE-2022-40443. The attack needs to be done within the local network. There is no exploit available.

安全测试肯定是可以发现逻辑漏洞，但也肯定会出现遗漏、以及效率不高，因为没有通用的检测工具，大多安全测试都是人工做的，主要依赖于个人思路、经验以及责任心。 最常见的逻辑漏洞就是未授权、越权等导致敏感信息泄露或导致攻击，因此这些漏洞也是企业重点治理的对象。 就小公司而言，可能投入人力做手工测试是不错的方法，最好是不同人员交叉测试；对于大公司来说，技术能力强可以基于业务做检测工具，进行自动化检测建设。两种情况都会出现遗漏，则可以通过运营SRC、做众测等方式，作为内部发现逻辑漏洞的补充，从而达到相对好的治理效果。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 如何在隔离环境中修复大量的Java漏洞？ SDL如何做成平台化以及价值？ 安全SDK提供安全API是怎么做的？ SDL 65/100问：对移动客户端做安全测试，哪款工具比较好？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 一个思考：安全测试驱动产品安全？ 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验

CVE-2025-48827 – Critical Unauthenticated API Access in vBulletin

A vulnerability classified as critical has been found in Google Chrome on Android. Affected is an unknown function of the component Messages. The manipulation leads to improper restriction of rendered ui layers. This vulnerability is traded as CVE-2025-5066. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Google Chrome. Affected by this issue is some unknown functionality of the component Background Fetch API. The manipulation leads to permissive cross-domain policy with untrusted domains. This vulnerability is handled as CVE-2025-5064. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Google Chrome. This affects an unknown part of the component FileSystemAccess API. The manipulation leads to improper restriction of rendered ui layers. This vulnerability is uniquely identified as CVE-2025-5065. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Google Chrome and classified as problematic. This vulnerability affects unknown code of the component Tab Strip. The manipulation leads to improper restriction of rendered ui layers. This vulnerability was named CVE-2025-5067. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in EspoCRM up to 6.1.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Avatar Image Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2021-3539. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in PgBouncer up to 1.16.0 and classified as critical. This vulnerability affects unknown code of the component Cert Authentication. The manipulation leads to sql injection. This vulnerability was named CVE-2021-3935. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

The deal reflects a growing trend in cybersecurity toward consolidation and integration.

The post ZScaler acquires Red Canary for boost in AI-driven security operations appeared first on CyberScoop.

The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems. [...]

Sophos warns that a DragonForce ransomware operator chained three vulnerabilities in SimpleHelp to target a managed service provider. Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It […]

Alleged Data Breach of I Paid A Bribe

Though Adidas said that no payment or financial information was affected in the breach, individuals who contacted the compamy's customer service help desk were impacted.

A vulnerability was found in Apache Airflow 2.3.0/2.3.1/2.3.2/2.3.3/2.3.4. It has been classified as problematic. Affected is an unknown function of the component URL Handler. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2022-40604. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Apache Airflow 2.3.0/2.3.1/2.3.2/2.3.3/2.3.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /confirm. The manipulation leads to open redirect. This vulnerability is known as CVE-2022-40754. Access to the local network is required for this attack. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, was found in XPDF 4.04. This affects an unknown part of the file FoFiType1C.cc. The manipulation leads to null pointer dereference. This vulnerability is uniquely identified as CVE-2022-38928. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Erlang OTP up to 23.3.4.14/24.3.4.1/25.0.1. It has been classified as critical. Affected is an unknown function of the component Client Authentication Handler. The manipulation leads to improper authentication. This vulnerability is traded as CVE-2022-37026. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Craft CMS 4.2.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file src/web/assets/cp/src/js/BaseElementSelectInput.js. The manipulation of the argument elementInfo.label leads to cross site scripting. This vulnerability is known as CVE-2022-37246. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Keylime up to 6.2.x. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to authentication bypass by spoofing. This vulnerability is handled as CVE-2021-43310. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.