Aggregator

文章描述了针对npm包的供应链攻击事件，攻击者通过钓鱼邮件获取项目维护者的令牌，发布恶意版本以窃取信息或执行远程代码。同时，抗议软件被上传至npm，影响特定网站。此外，Arch Linux移除了包含远程访问木马的AUR包。

A vulnerability was found in Microsoft SharePoint Enterprise Server 2016/2019/Subscription Edition. It has been classified as very critical. This affects an unknown part. The manipulation leads to deserialization. This vulnerability is uniquely identified as CVE-2025-53770. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Биткойн подрос? Тогда хакеры уже на полпути к вашему MetaMask.

这个夏天名师执教、 舒适食宿 、创新课程 、探索前沿，InForSec夏令营等你一起开启一场AI安全的邂逅

A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. This vulnerability is known as CVE-2025-7862. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in Portabilis i-Educar 2.9.0. It has been rated as problematic. This issue affects some unknown processing of the file /intranet/educar_deficiencia_lst.php of the component Disabilities Module. The manipulation of the argument Deficiência ou Transtorno leads to cross site scripting. The identification of this vulnerability is CVE-2025-7866. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9.0. Affected by this issue is some unknown functionality of the file intranet/educar_turma_tipo_det.php?cod_turma_tipo=ID of the component Turma Module. The manipulation of the argument nm_tipo leads to cross site scripting. This vulnerability is handled as CVE-2025-7869. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, was found in Portabilis i-Diario 1.5.0. This affects an unknown part of the component justificativas-de-falta Endpoint. The manipulation of the argument Anexo leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-7870. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Portabilis i-Diario 1.5.0 and classified as problematic. This vulnerability affects unknown code of the file /conteudos. The manipulation of the argument filter[by_description] leads to cross site scripting. This vulnerability was named CVE-2025-7871. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

大语言模型幻觉目前相对来说已经对比前两年好很多了，但是对于过于复杂的场景或者大模型未进行训练的数据可能还是会回答错误和不准确，因此这里通过简单的几个示例来了解大语言模型幻觉到底是什么情况，且如何进行优化和优化效果对比等。从而了解打大预言模型幻觉存在的情况。

此漏洞原因为kafka clients进行OAuth 2.0 认证时对token获取来源未作校验

本文提供了TensorFlow 2的最佳实践指南，包括代码模块化、调整优化器学习率、使用Keras API进行训练和调试等建议，帮助用户从TensorFlow 1顺利迁移至TF2。

一个14岁的男孩因经济困难寻求帮助，并计划入侵其老师的旧网站（建于1996年），该网站存在大量安全漏洞。尽管男孩是程序员但无法利用这些漏洞。他提到老师允许他在事后告知漏洞细节。

契约锁电子签章系统远程代码执行漏洞分析

/heapdump открыт? Попрощайтесь с токенами, логинами, паролями...

文章记录了对PDD App搜索请求中加密参数anti-token的逆向分析过程。通过抓包、Hook、RPC等技术，成功定位并获取了anti-token，实现了搜索请求的复现。主要内容包括请求分析、加密参数定位、RPC调用以及Native层初步分析。

吕贝克的"开放知识之夜"2025年活动参与者征集开启，截止至9月25日。参与者可提交工作坊、演讲等多元内容，主题涵盖考古学、气候研究等广泛领域。活动旨在分享知识并使其公开可用，并特别欢迎新手参与。

大部分便携式应用在Windows 11 64位系统上无法正常工作，用户希望找到一种无需虚拟机的解决方案以保持其便携性。

nip.io静态DNS解析技术 URL校验绕过 CSA单点票据劫持

本文记录了作者在练习 pwnedlabs 云安全靶场过程中的实战步骤与思路，涵盖多个场景，包括 公共S3枚举、EBS快照利用、RDS快照还原、S3访问控制绕过 及 Lambda + SQS 注入漏洞分析 等内容。