Aggregator

CVE-2025-8169 | D-Link DIR-513 1.10 HTTP POST Request formSetWanPPTPpath formSetWanPPTPcallback curTime buffer overflow

VulDB Recent Entries
10 months 4 weeks ago
A vulnerability classified as critical has been found in D-Link DIR-513 1.10. This affects the function formSetWanPPTPcallback of the file /goform/formSetWanPPTPpath of the component HTTP POST Request Handler. The manipulation of the argument curTime leads to buffer overflow. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is uniquely identified as CVE-2025-8169. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-8168 | D-Link DIR-513 1.10 /goform/formSetWanPPPoE websAspInit curTime buffer overflow

VulDB Recent Entries
10 months 4 weeks ago
A vulnerability was found in D-Link DIR-513 1.10. It has been rated as critical. Affected by this issue is the function websAspInit of the file /goform/formSetWanPPPoE. The manipulation of the argument curTime leads to buffer overflow. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is handled as CVE-2025-8168. The attack may be launched remotely. Furthermore, there is an exploit available.
vuldb.com

New CastleLoader Attack Using Cloudflare-Themed Clickfix Technique to Infect Windows Computers

Cyber Security News
10 months 4 weeks ago

CastleLoader, a rapidly evolving loader discovered in 2025, has surged across underground networks by weaponizing Cloudflare-themed “Clickfix” phishing pages and doctored GitHub repositories to compromise Windows hosts. The malware masquerades as benign developer resources, browser updates, or meeting portals, luring unsuspecting users into copying a seemingly innocent PowerShell command that promises to “verify” or “repair” […]

The post New CastleLoader Attack Using Cloudflare-Themed Clickfix Technique to Infect Windows Computers appeared first on Cyber Security News.

Tushar Subhra Dutta

CVE-2025-8167 | code-projects Church Donation System 1.0 /admin/edit_members.php fname cross site scripting

VulDB Recent Entries
10 months 4 weeks ago
A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_members.php. The manipulation of the argument fname leads to cross site scripting. This vulnerability is known as CVE-2025-8167. The attack can be launched remotely. Furthermore, there is an exploit available. Other parameters might be affected as well.
vuldb.com

CVE-2025-8166 | code-projects Church Donation System 1.0 HTTP POST Request /admin/index.php Username sql injection

VulDB Recent Entries
10 months 4 weeks ago
A vulnerability was found in code-projects Church Donation System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php of the component HTTP POST Request Handler. The manipulation of the argument Username leads to sql injection. This vulnerability is traded as CVE-2025-8166. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com

CVE-2025-8165 | code-projects Food Review System 1.0 approve_reservation.php occasion sql injection

VulDB Recent Entries
10 months 4 weeks ago
A vulnerability was found in code-projects Food Review System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/approve_reservation.php. The manipulation of the argument occasion leads to sql injection. The identification of this vulnerability is CVE-2025-8165. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

公安部计算机信息系统安全产品质量监督检验中心检测发现33款违法违规收集使用个人信息的移动应用

嘶吼
10 months 4 weeks ago

依据《网络安全法》《个人信息保护法》等法律法规,按照《中央网信办、工业和信息化部、公安部、市场监管总局关于开展2025年个人信息保护系列专项行动的公告》要求,经公安部计算机信息系统安全产品质量监督检验中心检测,33款移动应用存在违法违规收集使用个人信息情况,现通报如下

1、未公开收集使用规则。涉及1款移动应用如下:

《比陌》(1.1.2,百度手机助手)。

2、未逐一列出收集、使用个人信息的目的、方式、范围。涉及14款移动应用如下:

《映客直播》(9.7.25,华为应用市场)、《悦享家生活》(9.7.1,华为应用市场)、《小盒学习》(5.2.04,华为应用市场)、《宝宝树孕育》(9.91.2,华为应用市场)、《花生日记》(6.3.0,小米应用商店)、《Nico》(8.32.2,VIVO应用商店)、《零售云》(8.32.0,VIVO应用商店)、《己陌》(1.8.88,应用宝)、《本地陌聊》(5.3.2,VIVO应用商店)、《爱文漂流瓶》(2.0.3,VIVO应用商店)、《一起作业》(3.8.24.10009,VIVO应用商店)、《萤石云视频》(7.2.19.250609,豌豆荚)、《即陌》(1.0.12.2,豌豆荚)、《连信》(6.4.6,豌豆荚)。

3、在申请打开可收集个人信息的权限时,未同步告知用户其目的。涉及1款移动应用如下:

《即陌》(1.0.12.2,豌豆荚)。

4、在申请收集用户等个人敏感信息时,未同步告知用户其目的。涉及1款移动应用如下:

《Nico》(8.32.2,VIVO应用商店)。

5、征得用户同意前就开始收集个人信息。涉及3款移动应用如下:

《零售云》(8.32.0,VIVO应用商店)、《一起作业》(3.8.24.10009,VIVO应用商店)、《即陌》(1.0.12.2,豌豆荚)。

6、实际收集的个人信息超出用户授权范围。涉及14款移动应用如下:

《宝宝树孕育》(9.91.2,华为应用市场)、《花生日记》(6.3.0,小米应用商店)、《情多多》(9.6.8,应用宝)、《Nico》(8.32.2,VIVO应用商店)、《零售云》(8.32.0,VIVO应用商店)、《己陌》(1.8.88,应用宝)、《爱文漂流瓶》(2.0.3,VIVO应用商店)、《返利》(9.61.0,百度手机助手)、《约桃》(2.0.6,应用宝)、《相机360》(9.9.48,百度手机助手)、《萤石云视频》(7.2.19.250609,豌豆荚)、《即陌》(1.0.12.2,豌豆荚)、《连信》(6.4.6,豌豆荚)、《心遇》(2.6.0,豌豆荚)。

7、配置文件中声明的可收集个人信息的权限超出相关功能的必要范围。涉及3款移动应用如下:

《宝宝树孕育》(9.91.2,华为应用市场)、《陌生》(1.1.0,华为应用市场)、《万能遥控》(7.1.5,应用宝)。

8、实际收集的个人信息超出相关功能的必要范围。涉及3款移动应用如下:

《花生日记》(6.3.0,小米应用商店)、《附近陌生人欢聊》(3.0.2,OPPO软件商店)、《萤石云视频》(7.2.19.250609,豌豆荚)。

9、实际收集个人信息的频率超出相关功能的必要范围。涉及14款移动应用如下:

《得间免费小说》(5.4.2.1,华为应用市场)、《糖豆》(8.5.3,华为应用市场)、《映客直播》(9.7.25,华为应用市场)、《小盒学习》(5.2.04,华为应用市场)、《宝宝树孕育》(9.91.2,华为应用市场)、《花生日记》(6.3.0,小米应用商店)、《ZAKER》(9.1.4,OPPO软件商店)、《爱聊》(6.0.6,OPPO软件商店)、《附近陌生人欢聊》(3.0.2,OPPO软件商店)、《驾校宝典》(1.12.18,应用宝)、《车来了》(4.67.0,OPPO软件商店)、《爱文漂流瓶》(2.0.3,VIVO应用商店)、《一起作业》(3.8.24.10009,VIVO应用商店)、《扫描全能王》(6.91.0.2507020000,VIVO应用商店)。

10、提前要求用户打开非当前功能所需的可收集个人信息权限。涉及5款移动应用如下:

《万能遥控》(7.1.5,应用宝)、《Nico》(8.32.2,VIVO应用商店)、《陌趣》(1.0.0,应用宝)、《扫描全能王》(6.91.0.2507020000,VIVO应用商店)、《即陌》(1.0.12.2,豌豆荚)。

11、强制要求用户打开非必要的可收集个人信息权限。涉及2款移动应用如下:

《爱文漂流瓶》(2.0.3,VIVO应用商店)、《扫描全能王》(6.91.0.2507020000,VIVO应用商店)。

12、强制要求用户提供非必要的个人信息。涉及2款移动应用如下:

《Nico》(8.32.2,VIVO应用商店)、《爱文漂流瓶》(2.0.3,VIVO应用商店)。

13、广告存在误导、欺骗用户行为。涉及3款移动应用如下:

《随手电筒》(7.0.3,应用宝)、《小伴龙》(10.3.6,小米应用商店)、《Nico》(8.32.2,VIVO应用商店)。

上期通报的公安部计算机信息系统安全产品质量监督检验中心检测发现的45款违法违规移动应用,经复测仍有8款存在问题,相关移动应用分发平台已予以下架。

(注:以上所列移动应用检测时间为2025年6月23日至2025年7月9日)

来源:国家网络安全通报中心

国家网络安全通报中心近期通报33款移动应用因违法违规收集使用个人信息被点名,问题涉及规则不透明、超范围获取敏感数据、强制索取权限及误导性广告等,严重侵害用户隐私。梆梆安全作为网络安全践行者深耕个人信息保护领域多年,深知合规是生命线。

我们建议用户: 优先选择正规应用商店下载,安装前务必细读隐私条款,谨慎授予位置、通讯录等非必要权限。同时呼吁开发者: 严格遵守《网络安全法》《个人信息保护法》,坚守法律红线,做到个人信息收集使用的透明化与最小化。携手共同筑牢个人信息安全屏障!

梆梆安全

Managed ad