Aggregator

ISC Stormcast播客于2025年8月1日发布，值班员Johannes Ullrich报告威胁等级为绿色。讨论涵盖应用安全课程及DShield工具。

A vulnerability was found in lightning-ai pytorch-lightning up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/v1/upload_file/ of the component LightningApp. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2024-8019. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in netease-youdao qanything up to 1.4.1 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to origin validation error. This vulnerability is known as CVE-2024-8024. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in lightning-ai pytorch-lightning up to 2.3.2. This affects an unknown part of the file /api/v1/state. The manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2024-8020. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in netease-youdao QAnything. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-8027. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete_s5.php. The manipulation of the argument ID leads to sql injection. This vulnerability is handled as CVE-2025-8252. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in code-projects Exam Form Submission 1.0. It has been classified as critical. This affects an unknown part of the file /admin/delete_s6.php. The manipulation of the argument ID leads to sql injection. This vulnerability is uniquely identified as CVE-2025-8253. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view_parcel.php. The manipulation of the argument ID leads to sql injection. This vulnerability was named CVE-2025-8254. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in code-projects Exam Form Submission 1.0. It has been rated as critical. This issue affects some unknown processing of the file /register.php. The manipulation of the argument image leads to unrestricted upload. The identification of this vulnerability is CVE-2025-8255. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical has been found in code-projects Online Ordering System 1.0. Affected is an unknown function of the file /admin/product.php. The manipulation of the argument image leads to unrestricted upload. This vulnerability is traded as CVE-2025-8256. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. This vulnerability is known as CVE-2025-8257. The attack needs to be approached locally. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. This vulnerability is uniquely identified as CVE-2025-8259. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. The identification of this vulnerability is CVE-2025-8207. Local access is required to approach this attack. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Yeelink Yeelight App up to 3.5.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component com.yeelight.cherry. The manipulation leads to improper export of android application components. This vulnerability is traded as CVE-2025-8210. Attacking locally is a requirement. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Roothub up to 2.6. It has been declared as problematic. Affected by this vulnerability is the function Edit of the file src/main/java/cn/roothub/web/admin/SystemConfigAdminController.java. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-8211. The attack can be launched remotely. Furthermore, there is an exploit available.

文章介绍了HTTP错误代码521的含义及其常见原因，指出该错误通常与服务器连接问题或网络配置不当有关，并提供了排查和解决该问题的方法建议。

HackerNews 编译，转载请注明出处： 安全专家指出，尽管微软决定从8月1日起关闭其Authenticator应用的密码管理功能，密码管理器在未来一段时间内仍将是防御身份相关威胁的重要工具。 微软早已逐步缩减Authenticator的密码存储与自动填充能力：自6月初起，用户无法新增或导入密码；7月期间自动填充功能被关闭；而自8月1日起，所有保存的密码将无法通过该应用访问。此后，存储的密码可通过Edge浏览器访问和自动填充，或导出至其他密码管理器。但微软更希望用户转向通行密钥（passkey）——该认证方式仍受Authenticator支持，且被广泛认为更安全便捷（通过PIN或生物识别实现无密码登录）。 Keeper Security首席执行官Darren Guccione对此提出异议：“微软取消密码支持的举措看似预示行业正快速转向无密码认证，但数据揭示另一现实。这远非预示剧变，而是渐进转型中的一步。能生成并保护传统密码的解决方案对个人和企业仍至关重要，即便通行密钥在数字系统中的普及度持续提升。”他援引数据称，40%的企业采用密码与通行密钥并存的混合认证环境。 IEEE高级成员、诺丁汉大学网络安全教授Steve Furnell呼应此观点：“向无密码未来的过渡仍需时间。许多企业近期才部署多因素认证（MFA），缺乏动力开发通行密钥等新技术，尽管后者能提升用户体验。另一些企业或因定制系统或遗留系统限制，仍被迫使用传统密码。”他补充道，依赖密码的企业须落实两项基础措施：“首先提供明确指导，使用户理解如何有效创建和管理密码；其次实施默认安全策略，无论用户行为如何都能降低风险。”       消息来源：infosecurity-magazine； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in IAHispano Applio up to 3.2.7. It has been classified as critical. This affects an unknown part of the file model_download.py. The manipulation leads to server-side request forgery. This vulnerability is uniquely identified as CVE-2025-27774. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in netease-youdao qanything up to 2.0.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component SSH Key Handler. The manipulation leads to path traversal. This vulnerability is known as CVE-2024-12866. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in comfyanonymous comfyui up to 0.2.4. It has been rated as critical. Affected by this issue is some unknown functionality of the file /internal/models/download. The manipulation leads to server-side request forgery. This vulnerability is handled as CVE-2024-12882. The attack may be launched remotely. There is no exploit available.