Aggregator

CVE-2021-46902 | Meinberg LANTIME prior 6.24.029 MBGID-9343/7.04.008 MBGID-6303 LTOS-Web-Interface access control

Vuldb Updates
2 months 2 weeks ago
A vulnerability was found in Meinberg LANTIME. It has been declared as critical. This vulnerability affects unknown code of the component LTOS-Web-Interface. The manipulation leads to improper access controls. This vulnerability was named CVE-2021-46902. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2021-46903 | Meinberg LANTIME prior 6.24.029 MBGID-9343/7.04.008 MBGID-6303 LTOS-Web-Interface access control

Vuldb Updates
2 months 2 weeks ago
A vulnerability was found in Meinberg LANTIME. It has been rated as critical. This issue affects some unknown processing of the component LTOS-Web-Interface. The manipulation leads to improper access controls. The identification of this vulnerability is CVE-2021-46903. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2023-40355 | Axigen up to 10.3.3.58/10.4.18/10.5.4 cross site scripting

Vuldb Updates
2 months 2 weeks ago
A vulnerability, which was classified as problematic, has been found in Axigen up to 10.3.3.58/10.4.18/10.5.4. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2023-40355. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-25201 | Espruino 2v20 src/jsvar.c jsvStringIteratorPrintfCallback out-of-bounds (Issue 2456)

Vuldb Updates
2 months 2 weeks ago
A vulnerability was found in Espruino 2v20. It has been rated as problematic. Affected by this issue is the function jsvStringIteratorPrintfCallback of the file src/jsvar.c. The manipulation leads to out-of-bounds read. This vulnerability is handled as CVE-2024-25201. The attack needs to be approached within the local network. There is no exploit available.
vuldb.com

CVE-2023-40264 | Atos Unify OpenScape Voice Trace Manager prior V8 R0.9.11 User Interface path traversal

Vuldb Updates
2 months 2 weeks ago
A vulnerability was found in Atos Unify OpenScape Voice Trace Manager. It has been rated as critical. This issue affects some unknown processing of the component User Interface. The manipulation leads to path traversal. The identification of this vulnerability is CVE-2023-40264. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2023-40262 | Atos Unify OpenScape Voice Trace Manager prior V8 R0.9.11 Administration cross site scripting

Vuldb Updates
2 months 2 weeks ago
A vulnerability classified as problematic was found in Atos Unify OpenScape Voice Trace Manager. Affected by this vulnerability is an unknown functionality of the component Administration. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2023-40262. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-25309 | code-projects Simple School Management System 1.0 School/teacher_login.php pass sql injection

Vuldb Updates
2 months 2 weeks ago
A vulnerability, which was classified as critical, has been found in code-projects Simple School Management System 1.0. Affected by this issue is some unknown functionality of the file School/teacher_login.php. The manipulation of the argument pass leads to sql injection. This vulnerability is handled as CVE-2024-25309. The attack needs to be done within the local network. There is no exploit available.
vuldb.com

CVE-2024-27232 | Google Android asn1_common.c asn1_ec_pkey_parse out-of-bounds

Vuldb Updates
2 months 2 weeks ago
A vulnerability was found in Google Android. It has been classified as problematic. This affects the function asn1_ec_pkey_parse of the file asn1_common.c. The manipulation leads to out-of-bounds read. This vulnerability is uniquely identified as CVE-2024-27232. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to apply a patch to fix this issue.
vuldb.com

有多隐蔽才算隐蔽?研究现实世界中黑盒对抗攻击的有效性

Seebug Paper
2 months 2 weeks ago
作者:Francesco Panebianco, Mario D’Onghia, Stefano Zanero, Michele Carminati 译者:知道创宇404实验室翻译组 原文链接:https://arxiv.org/html/2506.05382v1 摘要 深度学习系统在自动驾驶等领域至关重要,但它们容易受到对抗性样本的攻击(对抗性样本是经过精心设计的输入,旨在误导分类器)。本...

Employees are using AI where they know they shouldn’t

Help Net Security
2 months 2 weeks ago

Despite widespread anticipation about AI’s positive impact on workforce productivity, most employees feel they were overpromised on its potential, according to GoTo. In fact, 62% believe AI has been significantly overhyped. However, this is likely because employees aren’t making the most of what these tools have to offer. 86% admit they’re not using AI tools to their full potential, and 82% say they aren’t very familiar with how AI can be used practically in their … More →

The post Employees are using AI where they know they shouldn’t appeared first on Help Net Security.

Help Net Security

超过84000个Roundcube网络邮件安装受到RCE漏洞影响

嘶吼
2 months 2 weeks ago

最新发现,超过84000个Roundcube网络邮件安装容易受到CVE-2025-49113的攻击,CVE-2025-49113是一个严重的远程代码执行(RCE)漏洞,可公开利用。

该漏洞影响了Roundcube的1.1.0到1.6.10版本,跨越了十年,在安全研究员Kirill Firsov发现并报告后,于2025年6月1日被修补。

该错误源于未处理的$_GET['_from']输入,当会话键以感叹号开始时,会启用PHP对象反序列化和会话损坏。

补丁发布后不久,黑客对其进行了逆向工程,开发了一个有效的漏洞,并在地下论坛上出售。尽管利用CVE-2025-49113需要身份验证,但攻击者声称可以通过CSRF、日志抓取或暴力强制获取有效凭据。目前Firsov在他的博客上分享了有关该漏洞的技术细节,以帮助防御很可能发生的主动利用尝试。

大规模的曝光

Roundcube广泛用于共享主机(GoDaddy, Hostinger, OVH)以及政府,教育和技术部门,在线可见实例超过120万。

威胁监测平台Shadowserver基金会报告称,截至2025年6月8日,其互联网扫描返回了84925个易受CVE-2025-49113攻击的Roundcube实例。

这些案例中的大多数发生在美国(19500)、印度(15500)、德国(13600)、法国(3600)、加拿大(3500)和英国(2400)。

考虑到高风险的利用和潜在的数据盗窃,这些实例的暴露是一个重大的网络安全风险。建议系统管理员尽快更新到解决CVE-2025-49113的1.6.11和1.5.10版本。

目前尚不清楚该漏洞是否被用于实际的攻击,以及规模有多大,但安全研究员建议人们应立即采取行动。如果无法升级,建议限制对webmail的访问,关闭文件上传,添加CSRF保护,阻止有风险的PHP函数,并监控漏洞利用指标。

胡金鱼

Managed ad