Aggregator

CISA released the third edition of SBOM guidelines to enhance software component transparency

安全专家表示，威胁检测工具产生太多误报，导致倦怠。

今日暂未更新资讯~
更多最新文章，请访问SecWiki

根据国家信息安全漏洞库（CNNVD）统计，本周（2024年10月7日至2024年10月13日）安全漏洞情况如下。

A vulnerability was found in Booking.com Banner Creator Plugin up to 1.4.6 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-49265. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Thimo Grauerholz WP-Spreadplugin Plugin up to 4.8.9 on WordPress and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-49266. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Docker Desktop up to 4.34.2. This affects an unknown part of the component Build View. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2024-9348. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in nayon46 Unlimited Addon for Elementor Plugin up to 2.0.0 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-49267. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as very critical has been found in Adobe Flash Player up to 21.0.0.213 on Windows. This affects an unknown part. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2016-4114. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

在订阅服务遍地的时代，订阅一项服务本身是十分简单的，然而取消订阅却是众所周知的繁琐。现在，FTC 终于决定对此类做法进行打击。它宣布了 click-to-cancel 规定的最终稿，要求让消费者能像注册一样轻松取消订阅。其大部分条款将在《Federal Register》上公布 180 天后生效。FTC 主席 Lina M. Khan 表示，该机构的规定将让美国人节省时间和金钱，没人应为其不再需要的服务付费。

美国联邦和州政府已发布至少十余个漏洞奖励计划

给予警告，并处以罚款行政处罚

A vulnerability classified as problematic has been found in McAfee Asset Manager 6.6. This affects an unknown part. The manipulation of the argument reportFileName leads to path traversal. This vulnerability is uniquely identified as CVE-2014-2588. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Google 的内部分析估计，四分之三的 0day 漏洞利用属于内存安全漏洞。为了减少此类漏洞，Google 多年来一直在推动使用内存安全语言，减少内存不安全代码的风险。它没有试图用内存安全语言完全重写相关的成熟代码，而是在新代码开发中尽可能的使用内存安全语言。它正将高性能内存安全语言 Rust 的使用范围从 Android 扩大到服务器、应用程序和嵌入式生态系统中。它在 Android 的网络、固件和图形堆栈部分使用了包括 Rust 在内的内存安全语言，过去几年 Android 系统报告的内存安全漏洞显著减少，从 2019 年的 220 多个降至今年年底的大约 36 个。这一结果证明了其战略转移的有效性。

CA/B testing: Ludicrous proposal draws ire from “furious” systems administrators.

The post Apple Enrages IT — 45-Day Cert Expiration Fury appeared first on Security Boulevard.

Fortinet has made generally available a version of the CNAPP it gained that is now integrated with the Fortinet Security Fabric, an orchestration framework the company developed to centralize the management of its cybersecurity portfolio.

The post Fortinet Integrates Lacework CNAPP into Cybersecurity Portfolio appeared first on Security Boulevard.

A new Bugcrowd study shows 71% of ethical hackers now see AI boosting hacking value, up from 21% in 2023