Aggregator

感谢各位安全专家长期关注阿里巴巴集团安全，帮助阿里云先知提高阿里巴巴集团和客户安全水平，保障数亿用户的安全！

Met het oog op de gereedstelling van de organisatie wil Defensie samenwerken met logistieke en transportbedrijven. Bijvoorbeeld bij grootschalige Europese oefeningen, of tijdens een veiligheidscrisis. Gisteren vond een bijeenkomst plaats in Kasteel Woerden voor de diensten wegtransport en overslag. Ruim 100 belangstellende logistieke partners kregen informatie. 

Work management platform Asana is warning users of its new Model Context Protocol (MCP) feature that a flaw in its implementation potentially led to data exposure from their instances to other users and vice versa. [...]

本田宣布其子公司本田技术研究所开发的可重复使用小型火箭起降试验首次取得成功。发射于当天下午在北海道大树町专用设施进行，火箭高度达到约 300 米，飞行约 1 分钟后落地。本田 2021 年宣布进军太空火箭业务。试验机全长 6.3 米、直径85厘米，采用同一机体可重复使用的设计。火箭上运用了在汽车和自动驾驶开发过程中积累的技术。本田计划通过不断试验，2029 年将其送入太空。可重复使用火箭与传统一次性机型相比可大幅降低发射成本。

DTResearch製UEFIアプリケーションDTBiosおよびBiosFlashShellには、NVRAM変数を使用してセキュアブート機能を回避され、未署名のコードが実行可能になる脆弱性が存在します。

A vulnerability was found in Apache Traffic Server up to 9.2.10/10.0.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component ESI Plugin. The manipulation leads to uncontrolled memory allocation. This vulnerability is known as CVE-2025-49763. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apache Traffic Server up to 9.2.10/10.0.5. It has been classified as critical. Affected is an unknown function of the component Proxy Protocol Handler. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2025-31698. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

Где всё было? Там, куда телескоп не дотягивается.

A vulnerability was found in libblockdev and classified as critical. This issue affects some unknown processing of the component udisks. The manipulation leads to Local Privilege Escalation. The identification of this vulnerability is CVE-2025-6019. Local access is required to approach this attack. There is no exploit available.

A vulnerability has been found in Target Video Easy Publish Plugin up to 3.8.5 on WordPress and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument width leads to cross site scripting. This vulnerability was named CVE-2025-5237. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in FunnelKit Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation Plugin up to 3.5.3 on WordPress. This affects the function install_or_activate_addon_plugins of the component Plugin Installation Handler. The manipulation leads to missing authorization. This vulnerability is uniquely identified as CVE-2025-1562. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Ultra Addons for Contact Form 7 Plugin up to 3.5.12 on WordPress. Affected by this issue is the function save_options. The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2025-6220. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as very critical was found in SolarWinds Web Help Desk up to 12.8.3 Hotfix 2. Affected by this vulnerability is an unknown functionality of the component AjaxProxy. The manipulation leads to deserialization. This vulnerability is known as CVE-2024-28988. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

数字经济建立在开源的基础之上。大部分网站都运行在开源的 Apache 和 Nginx 之上，大部分服务器都运行开源的 Linux 系统，而最流行的移动系统 Android 也是基于 Linux，用于管理云计算工作负荷的 Kubernetes 也是开源的。开源运动在中国引起关注是在 2010 年代中期，开源社联合创始人林旅强（Richard）回忆称，早期采用开源的人主要是想要使用免费软件的开发者，当他们认识到向开源项目贡献代码有助于改善他们的求职前景时。他们开始拥抱开源运动。大企业紧跟其后。拥抱开源被认为有助于减少对西方技术的依赖。开源为科技公司提供了一种使用现有代码的快捷方式，能在庞大的开发者社区的帮助下构建自己的程序。2019 年华为被美国禁止使用 Android，2020 年华为推出了开源项目 OpenHarmony，华为还与阿里巴巴、百度和腾讯等合作成立了致力于开源开发的开放原子基金会（OpenAtom Foundation）。中国不仅成为开源项目的重要贡献者，也成为开源软件的早期采用者。京东是首批部署 Kubernetes 的公司之一。最近炙手可热的 AI 也进一步推动了中国的开源运动，企业和政府都将开源大模型视为缩小与美国差距的最快途径。DeepSeek 开源了其大模型，而阿里巴巴开源了 Qwen，百度也准备开源其文心大模型。

A vulnerability classified as critical has been found in CSV Me Plugin up to 2.0 on WordPress. Affected is the function csv_me_options_page. The manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2025-6086. It is possible to launch the attack remotely. There is no exploit available.

CloudX：为 Burp Suite 打造的加密解密终极方案 作者长期探索渗透测试中加密、防重放、签名等问题的最优解，最终以高度灵活的规则驱动机制推出了 CloudX。该工具设计先进、体积轻巧（不足 3000 行代码），具备强大的可扩展性和透明性。

JQCTF2025 Customize Virtual Machine复现

LitCTF2025 re wp&&复现

НОАК использует ИИ, который «галлюцинирует».