Aggregator

Submit #622194 / VDB-318679

Submit #622187 / VDB-318678

Submit #622186 / VDB-318677

Submit #622180 / VDB-318676

Submit #622179 / VDB-318675

Jen Easterly, a West Point graduate who led CISA during the Biden Administration, had her appointment to head a department at the academy rescinded after a complaint by Laura Loomer, a right-wing MAGA adherent who spoke out in a X posting to Defense Secretary Pete Hegseth.

The post Ex-CISA Head Easterly: Rescinded West Point Post Victim of ‘Manufactured Outrage’ appeared first on Security Boulevard.

Jen Easterly曾担任美国网络安全机构CISA负责人，在拜登政府工作三年后被撤销西点军校教职。右翼人物Laura Loomer指控她利用职位压制特朗普支持者，并质疑她在特朗普政府中获得高职位的问题。陆军部长随后撤销了她的职位。Easterly认为这是党派斗争的结果，损害了军队的信任基础，并强调军校应保持非政治化。此外，特朗普一直批评CISA偏离核心任务，并试图削减其预算。

A vulnerability was found in Schben Adive 2.0.7. It has been rated as problematic. This issue affects some unknown processing of the file Internal/Views/config.php. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2019-14346. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical has been found in Schben Adive 2.0.7. Affected is an unknown function of the file Internal/Views/addUsers.php. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2019-14347. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical has been found in WordPress up to 5.0.0. Affected is an unknown function of the file jpg?file.php. The manipulation with the input jpg?file.php as part of String leads to code injection. This vulnerability is traded as CVE-2019-8942. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in WordPress up to 5.0.3. Affected by this vulnerability is the function wp_crop_image. The manipulation with the input .jpg?/../../file.jpg as part of String leads to path traversal. This vulnerability is known as CVE-2019-8943. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in 1CRM On-Premise Software 8.5.7 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Run Report. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2019-14221. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in TeemIp up to 2.3.x. It has been classified as critical. This affects an unknown part of the file exec.php. The manipulation of the argument new_config as part of Parameter leads to command injection. This vulnerability is uniquely identified as CVE-2019-10863. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we look at the results of a survey taken during a recent Tenable webinar on the level of familiarity with exposure management. You can read the entire Exposure Management Academy series here.

For decades, the foundation of many security programs has been a familiar cycle: scan, patch, repeat. 

This has been a necessary, if often overwhelming, part of cyber hygiene. But in an era of interconnected systems and multi-faceted attacks, simply counting vulnerabilities is no longer enough. 

Amid this industry shift, a poll during a recent Tenable webinar, Security Without Silos: Gain Real Risk Insights with Exposure Management Upsized, showed that nearly half of all organizations are actively exploring or implementing a more advanced approach: exposure management.

Familiarity with exposure management

Source: Tenable webinar poll of 85 respondents, April 2025

When asked about their familiarity with exposure management, attendees painted a clear picture of a community on a journey. 

Nearly half of all attendees are already in the process of implementing or understanding the concepts behind what exposure management is, while another 40% are just getting familiarized with it. This means the majority of respondents are moving away from legacy, siloed methods. With many on this path, it's critical to understand the destination: a truly unified, proactive, and intelligent view of risk.

Moving beyond silos

But what does this next evolution of security actually look like in practice? 

What becomes possible when you move beyond siloed vulnerability scans and create a truly unified view of risk? With exposure management, you can finally start asking the critical questions that were previously impossible to answer.

The journey begins with a foundational shift: moving from disparate lists of assets to a single, unified and deduplicated inventory. This isn't just a list of IPs and hostnames. A true exposure management platform creates a rich, contextualized view by aggregating data from all of your sensing tools — including those from Tenable as well as third-party, cloud, identity and OT systems. 

This unified inventory becomes the canvas upon which you can paint a complete picture of your attack surface. 

With the ability to separate the signal from the noise, you can move beyond simple vulnerability queries and start investigating complex, multi-domain risk scenarios. Plus, you’ll be able to prioritize the list of truly critical exposures so that your IT and dev teams will have a manageable workload. This is where the strategic value of exposure management becomes clear. As the webinar discussed, a unified platform enables you to ask questions that cut across traditional security silos to find toxic risk combinations. 

Imagine asking your security tools a question like this: "Show me all user accounts with breached passwords that are actively logging into devices that also have actively exploitable vulnerabilities."

The difference between data and intelligence

This single question connects three distinct domains: identity exposure (breached passwords), device access (login activity) and IT vulnerability management (exploitable CVEs). But answering the question is impossible when your identity tools don't talk to your vulnerability scanner. 

In a unified exposure management platform, this query is simple and can immediately reveal high-risk scenarios where a compromised identity has a direct path to vulnerable, exploitable assets. This is the difference between raw data and rich intelligence.

The goal is to see your organization not as you've built it, but as an attacker sees it — as a web of interconnected opportunities. The most powerful capability of a mature exposure management program is the ability to visualize these connections as potential attack paths. The webinar showcased a compelling example of this in action. 

The platform identified an externally facing asset in the cloud, discovered via an attack surface management scan. It then showed how an attacker could use remote desktop protocol on that machine to pivot to an internal subnet and compromise a critical email server that was vulnerable to a specific CVE.

This isn't a theoretical exercise. It’s a visual, evidence-based map of a likely breach path, constructed by automatically connecting the dots between your cloud, network and vulnerability data. Seeing this allows you to move upstream and proactively sever the connection — disabling a service, patching the vulnerability, or hardening the cloud instance — before an attacker ever gets the chance to exploit it.

Takeaways

True exposure management is not about getting a better list of problems to fix. 

It’s about achieving a comprehensive understanding of the relationships between your assets and exposures. It transforms security from a reactive, volume-based patching operation into a proactive, intelligence-driven function that precisely identifies and neutralizes the most critical threats to your business.

Learn more

• Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.

The White House's "America's AI Action Plan" aims to accelerate innovation, but for software development, speed must not compromise security. Nathan Jones, VP of Public Sector at Sonar, explores the recently published plan, risks of AI-generated code, and explains how static analysis tools help ensure AI adoption is both fast and secure.

The post Sonar’s Take: Software Development Under America’s AI Action Plan appeared first on Security Boulevard.

Perplexity is repeatedly modifying their user agent and changing IPs and ASNs to hide their crawling activity, in direct conflict with explicit no-crawl preferences expressed by websites.

文章指出开源软件仓库被滥用为恶意软件传播渠道的趋势持续存在。2025年第二季度数据显示，攻击者通过NPM和PyPI包进行数据窃取等行为依然频繁。攻击者采用最小化代码 footprint、利用安装脚本及混淆技术等方式隐藏恶意行为。Fortiguard Labs监测到大量恶意包，并提供防护建议以应对供应链威胁。

Tenable Academy每周一提供指导，帮助从传统漏洞管理转向现代暴露管理。调查显示近半数组织正在探索或实施这一模式。通过整合多源数据和创建统一风险视图，暴露管理可识别复杂跨域风险并优先处理关键暴露点，从而实现主动预防攻击而非被动响应的目标。

Trustwave提供澳大利亚IRAP评估服务，帮助组织符合ASD的信息安全标准。服务包括准备审查、全面系统评估及云环境、网络网关等专项评估。由ASD认可的评估师独立完成，提供安全控制评估报告及改进建议。

文章探讨了单页应用（SPA）中隐藏在JavaScript代码中的API端点和敏感信息，通过手动检查和自动化工具（如Burp Suite的JS Miner扩展）发现潜在的安全漏洞。实际案例展示了如何通过分析JavaScript代码发现管理界面或利用自定义认证头绕过权限控制，强调了深入挖掘JavaScript代码的重要性。