Aggregator

这个话题比较有意思，因为我们这几年也做了自己的研发安全平台，其初衷主要有以下几点： 1、业务驱动：各种安全扫描工具比较多，产线使用起来很麻烦，做了平台之后安全扫描工具的扫描结果可以都发到平台上，统一处理和管理； 2、效能提升：研发安全团队的各类工具，比如安全测试报告生成工具都集成到平台，产品线就能生成报告；与其他系统打通，又可以提升效率； 3、成果展示：类似态势感知的大屏展示，可以把安全团队/个人／产品线的指标做实时的展示和分析，快速输出数据做汇报和对外展示。 这其实都是研发安全发展到一定阶段的必定产物，也许有人会说为什么不把这些数据放到devops平台、bug管理系统？其实也可，具体缘由不由分说。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 软件安全领域有哪些成熟度模型？ 如何在隔离环境中修复大量的Java漏洞？ SDL 62/100问：如何处理扫描出的三方组件开源协议风险？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 一个思考：安全测试驱动产品安全？ 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验

A vulnerability has been found in Nokaut Offers Box Plugin up to 1.4.0 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Setting Handler. The manipulation leads to cross-site request forgery. This vulnerability is known as CVE-2024-10634. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Xpdf 4.04. This affects the function gfseek of the file goo/gfile.cc. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2022-41842. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic was found in Xpdf 4.04. This vulnerability affects the function convertToType0 of the file fofi/FoFiType1C.cc. The manipulation leads to denial of service. This vulnerability was named CVE-2022-41843. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Responsive Contact Form Builder & Lead Generation Plugin up to 1.9.7 on WordPress. Affected by this issue is some unknown functionality of the component Setting Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-10475. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Ampere Altra and AltraMax up to 2022-07-15 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to information exposure through discrepancy. This vulnerability is known as CVE-2022-35888. It is possible to launch the attack on the physical device. There is no exploit available.

A vulnerability was found in wolfSSL up to 5.5.0. It has been classified as critical. This affects an unknown part of the component TLS 1.3 Handshake Handler. The manipulation leads to buffer overflow. This vulnerability is uniquely identified as CVE-2022-39173. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Xpdf 4.04. This issue affects the function XRef::fetch of the file xpdf/XRef.cc. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2022-41844. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in Microsoft Windows 7 SP1/Server 2008 R2 SP1/Server 2008 SP2. It has been classified as problematic. This affects an unknown part of the component GDI. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2019-1011. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows. It has been declared as problematic. This vulnerability affects unknown code of the component GDI. The manipulation leads to information disclosure. This vulnerability was named CVE-2019-1012. The attack can be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows 7 SP1/Server 2008 R2 SP1/Server 2008 SP2. It has been rated as problematic. This issue affects some unknown processing of the component GDI. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2019-1013. The attack may be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as critical has been found in Microsoft Windows. Affected is an unknown function of the component Win32k. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2019-1014. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Microsoft Windows 7 SP1/Server 2008 R2 SP1/Server 2008 SP2. Affected by this vulnerability is an unknown functionality of the component GDI. The manipulation leads to information disclosure. This vulnerability is known as CVE-2019-1015. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, has been found in Microsoft Windows 7 SP1/Server 2008 R2 SP1/Server 2008 SP2. Affected by this issue is some unknown functionality of the component GDI. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2019-1016. The attack may be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as critical, was found in Microsoft Windows. This affects an unknown part of the component Win32k. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2019-1017. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability has been found in Microsoft Windows up to Server 2019 and classified as critical. This vulnerability affects unknown code of the component DirectX. The manipulation leads to improper access controls. This vulnerability was named CVE-2019-1018. The attack can be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows and classified as problematic. This issue affects some unknown processing of the component Security. The manipulation leads to 7pk security features (Credentials). The identification of this vulnerability is CVE-2019-1019. The attack may be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows up to Server 2019. It has been classified as critical. Affected is an unknown function of the component Audio Service. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2019-1021. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows 10 1809/10 1903/Server 1903/Server 2019. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Audio Service. The manipulation leads to improper access controls. This vulnerability is known as CVE-2019-1022. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.