Aggregator

作者在漏洞挖掘中认识到侦察的重要性，指出常见错误如忽视隐藏攻击面、依赖自动化工具和忽略历史数据，并通过分析收购公司遗留系统找到大量漏洞。

Tumblr的Post+系统中发现一个低影响但意外的漏洞：用户可订阅已退出Post+的创作者。该漏洞涉及访问控制和支付流程问题，并最终为报告者带来$100奖励。

作者发现YouTube内部工具Video Builder存在严重授权绕过漏洞，攻击者可修改请求中的channelId参数上传视频至任意频道。该漏洞因后端缺乏授权验证导致，Google已修复并奖励$6,337。

文章描述了一位学生希望破解学校使用的SEATS考勤系统。该系统使用6位数代码进行签到，手动尝试耗时过长（仅15分钟可输入），因此寻求暴力破解方法以快速获取正确代码。

Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft. [...]

Компании падают, как домино — без правил, без жалости, без шанса на спасение.

Currently trending CVE - Hype Score: 29 - OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

Currently trending CVE - Hype Score: 29 - Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Currently trending CVE - Hype Score: 29 - An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries). The malicious campaign distributes files disguised as contractual documents, specifically using the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to deceive recipients into […]

The post Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials appeared first on Cyber Security News.

文章探讨了如何远程帮助父母使用小米手机的问题。建议包括通过视频通话指导操作、使用小米通话应用进行远程控制或统一手机品牌以简化问题。然而，这些方法各有优缺点，最终建议还是尽量面对面解决问题。

登录tix.qq.com获取更多资讯

文章指出GPT-5可能即将发布，并整合了多个模型的突破；同时OpenAI正在测试名为o3-alpha的新模型，在编码和前端设计方面表现更优。

GPT-5 might be just a few days or weeks away, as we've spotted references to a new model called gpt-5-reasoning-alpha-2025-07-13. [...]

Он шёл, как человек, бил, как боксёр — и упал, как баг.

A sophisticated Chinese threat actor campaign has emerged as one of the most persistent malware distribution operations targeting Chinese-speaking communities worldwide. Since June 2023, this ongoing campaign has established an extensive infrastructure comprising more than 2,800 malicious domains specifically designed to deliver Windows-targeted malware to individuals and entities both within China and internationally. The threat […]

The post Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware appeared first on Cyber Security News.

A vulnerability was found in Codecanyon iDentSoft 2.0. It has been classified as critical. This affects an unknown part of the file /clinica/profile/updateSetting of the component Account Setting Page. The manipulation of the argument photo leads to unrestricted upload. This vulnerability is uniquely identified as CVE-2025-7898. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verify_token of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. This vulnerability is handled as CVE-2025-7897. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function download_video/delete_video of the file app/controllers/v1/video.py. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-7896. The attack can be launched remotely. There is no exploit available.