Aggregator

A vulnerability classified as critical has been found in Synology DiskStation Manager up to 6.2. This affects an unknown part of the component EZ-Internet. The manipulation of the argument username as part of Parameter leads to command injection. This vulnerability is uniquely identified as CVE-2017-12075. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Synology DiskStation Manager up to 6.2 and classified as critical. This vulnerability affects unknown code of the component Change Password. The manipulation leads to weak password recovery. This vulnerability was named CVE-2018-8916. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Synology DiskStation Manager up to 6.2. Affected is an unknown function of the component Random Generator. The manipulation leads to insufficiently random values. This vulnerability is traded as CVE-2018-13280. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Synology DiskStation Manager up to 6.2 and classified as problematic. This issue affects some unknown processing of the component SYNO.Core.ACL. The manipulation of the argument file_path as part of Parameter leads to information disclosure. The identification of this vulnerability is CVE-2018-13281. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Fujitsu M10-1, Fujitsu M10-4, Fujitsu M10-4S, Fujitsu M12-1, Fujitsu M12-2 and Fujitsu M12-2S Servers. It has been rated as critical. This issue affects some unknown processing of the component NTP. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2018-7185. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in netatalk up to 3.1.11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file dsi_opensess.c. The manipulation leads to out-of-bounds write. This vulnerability is known as CVE-2018-1160. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

公网暴露即被黑？

A vulnerability was found in Synthetic Reality Sympoll 1.5. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.php. The manipulation of the argument vo leads to basic cross site scripting. This vulnerability is handled as CVE-2003-1175. The attack may be launched remotely. Furthermore, there is an exploit available.

Matrix 首页推荐 Matrix 是少数派的写作社区，我们主张分享真实的产品体验，有实用价值的经验与思考。我们会不定期挑选 Matrix 最优质的文章，展示来自用户的最真实的体验和观点。 文章代表

error code: 521

HackerNews 编译，转载请注明出处： 软件制造商Adobe于周二针对多款产品中的十多个安全缺陷推出了修复措施，并警告称，恶意黑客可以利用这些漏洞发动远程代码执行攻击。 该公司表示，这些漏洞影响了Adobe Photoshop、Substance 3D Stager、iPad版Illustrator、Adobe Animate以及Adobe Substance 3D Designer。 根据Adobe的文档，Photoshop的更新适用于Windows和macOS系统，鉴于通过陷阱文件利用代码执行的风险，用户应尽快安装此更新。 具体细节如下： Adobe Photoshop——此次更新修复了两个关键严重级别的任意代码执行漏洞（CVE-2025-21127和CVE-2025-21122）。 Adobe Substance 3D Stager——此公告记录了五个关键严重级别的内存安全漏洞，这些漏洞可能导致在当前用户上下文中执行任意代码。这些漏洞的CVSS严重级别评分为7.8/10，影响Windows和macOS用户。 iPad版Illustrator——此次更新涵盖了两个独立的内存安全问题，这些问题使Apple iPad用户面临代码执行攻击的风险。两个漏洞均被评为关键级别，CVSS严重级别评分为7.8/10。 Adobe Animate——此次更新修复了一个可能导致任意代码执行漏洞的整数下溢问题。该更新适用于Windows和macOS用户。 Adobe Substance 3D Designer——此次更新包含针对影响所有平台的四个关键内存安全漏洞的补丁。成功利用这些漏洞可能导致在当前用户上下文中执行任意代码。   消息来源：Security Week, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Johan Cwiklinski Galette 0.63/0.63.1/0.63.2/0.63.3. It has been classified as critical. Affected is an unknown function. The manipulation of the argument id_adh leads to sql injection. This vulnerability is traded as CVE-2012-2338. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

#人工智能 ChatGPT 推出新功能：任务。可以用来设置定时动作，例如每天早上七点半向你发送当日的天气。该功能既可以设置一次性任务也可以设置周期性任务，借助 ChatGPT 网络功能

Brace yourselves... and consider reading your email in plaintext for now

发布时间: 2025-

lucky-draw是什么lucky-draw是一款在线年会抽奖工具，可以用于年会等各种抽奖，支持奖品参数设置、数据导入、奖项设置、人数设置等等，免费无需注册，开箱即用的年会抽奖工具。lucky...

error code: 521

HackerNews 编译，转载请注明出处： 网络威胁行为者正利用FastHTTP Go库，针对全球Microsoft 365账户发起高速暴力破解密码攻击。 近日，事件响应公司SpearTip发现了此次攻击活动，据称攻击始于2024年1月6日，目标直指Azure Active Directory Graph API。 研究人员警告称，这些暴力破解攻击有10%的时间能够成功接管账户。 滥用FastHTTP进行账户接管 FastHTTP是Go编程语言的高性能HTTP服务器和客户端库，专为处理HTTP请求而优化，即使在大量并发连接的情况下也能实现更高的吞吐量、更低的延迟和更高的效率。 在此次攻击活动中，黑客利用FastHTTP创建HTTP请求，自动化尝试未经授权的登录。 SpearTip指出，所有请求均针对Azure Active Directory的终端点，旨在暴力破解密码或反复发送多因素认证（MFA）挑战，以在MFA疲劳攻击中压垮目标。 SpearTip报告称，65%的恶意流量来自巴西，利用广泛的自治系统号（ASN）提供商和IP地址，其次是土耳其、阿根廷、乌兹别克斯坦、巴基斯坦和伊拉克。 研究人员表示，41.5%的攻击失败，21%因保护机制而触发账户锁定，17.7%因违反访问策略（地理位置或设备合规性）而被拒绝，10%受到MFA保护。 这意味着，有9.7%的情况下，威胁行为者成功认证到目标账户，这是一个相当高的成功率。 Microsoft 365账户接管可能导致机密数据泄露、知识产权被盗、服务中断等负面后果。 SpearTip已分享一个PowerShell脚本，管理员可利用该脚本在审核日志中检查是否存在FastHTTP用户代理，从而判断自己是否成为此次攻击的目标。 管理员还可以手动登录Azure门户，导航至“Microsoft Entra ID”→“用户”→“登录日志”，并应用“客户端应用：‘其他客户端’”筛选器来检查用户代理。 如果发现任何恶意活动迹象，建议管理员立即终止用户会话并重置所有账户凭据，审查已注册的MFA设备，并删除未经授权的添加项。 SpearTip报告的底部部分提供了与该攻击活动相关的妥协指标的完整列表。

恭喜上榜白帽黑客荣获2024公益SRC年度证书！速来围观~