Aggregator

凌晨2:47,看完《黑镜》后,作者探索GraphQL端点,发现API谎称"已达到限制",实则泄露大量用户数据。

A newly disclosed vulnerability in the Python-based data-exfiltration utility used by the notorious Cl0p ransomware group has exposed the cybercrime operation itself to potential attack. The flaw, cataloged as GCVE-1-2025-0002, was identified by Italian security researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL) on July 1, 2025. Vulnerability Details The […]

The post Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

这篇文章记录了作者学习网络安全知识的第二周内容，涵盖了不同类型的网络（如PAN、LAN）、网络设备（如集线器、交换机）、蓝牙技术、Wi-Fi安全协议（如WEP、WPA2）、ARP中毒攻击以及TCP和UDP协议等内容。

文章探讨了在Proxmox服务器中选择存储后端（ZFS或LVM-Thin）的重要性，并通过用户反馈分析了两者的优缺点及适用场景。

Craig Giles组织的“Waveband Hack Club YSWS”是一个非营利项目，旨在通过编程项目教青少年学习。参与者需用RTL-SDR dongle编写程序，并在完成任务后获得V4 dongle和天线套件奖励。活动限时至7月11日。

Без IBM и без Google: в России появился конкурент в квантовой гонке.

文章介绍了一种SQL注入技术，通过利用产品分类过滤器中的漏洞进行UNION攻击。作者展示了如何确定查询返回的列数，并成功注入字符串“2ibKWe”，以演示如何从其他表中提取数据。

文章介绍了一种SQL注入UNION攻击方法，通过确定查询返回的列数和识别兼容字符串数据的列来构造攻击，最终提取目标值。

文章介绍了一个时间盲SQL注入漏洞的实验过程。通过发送特定的payload（如`' || (SELECT pg_sleep(10))--`），攻击者可以利用PostgreSQL数据库的`pg_sleep`函数引发10秒延迟，从而确认漏洞的存在并推断数据库类型。

A vulnerability classified as problematic was found in MultiVendorX Plugin up to 4.2.22 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to insertion of sensitive information into sent data. This vulnerability is known as CVE-2025-48261. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. This vulnerability is uniquely identified as CVE-2025-6152. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in conda-build up to 25.3.x. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-32799. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Master Slider Plugin up to 3.10.8 on WordPress. It has been rated as problematic. This issue affects the function ms_slide of the component Shortcode Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-5291. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2025-6140. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. This vulnerability is traded as CVE-2025-6167. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Google ChromeOS 16063.45.2. Affected by this vulnerability is an unknown functionality of the component MiniOS. The manipulation leads to improper privilege management. This vulnerability is known as CVE-2025-6177. It is possible to launch the attack on the local host. There is no exploit available.

A vulnerability, which was classified as critical, was found in Google ChromeOS 16181.27.0. This affects an unknown part of the component Extension Management. The manipulation leads to permission issues. This vulnerability is uniquely identified as CVE-2025-6179. An attack has to be approached locally. There is no exploit available.

A vulnerability has been found in conda-build up to 25.3.x and classified as critical. This vulnerability affects the function eval. The manipulation leads to code injection. This vulnerability was named CVE-2025-32798. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in TOTOLINK EX1200T 4.1.2cu.5232_B20210713. This vulnerability affects unknown code of the file /boafrm/formSaveConfig of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. This vulnerability was named CVE-2025-6129. The attack can be initiated remotely. Furthermore, there is an exploit available.

As AI reshapes business, 90% of organizations are not adequately prepared to secure their AI-driven future, according to a new report from Accenture. Globally, 63% of companies are in the “Exposed Zone,” indicating they lack both a cohesive cybersecurity strategy and necessary technical capabilities. Generative AI spend vs. security spend (Source: Accenture) The urgency of embedding cybersecurity by design The report reveals AI adoption has accelerated the speed, scale and sophistication of cyber threats, far … More →

The post 90% aren’t ready for AI attacks, are you? appeared first on Help Net Security.