Aggregator

Submit #784464 / VDB-355390

Submit #784463 / VDB-355389

Currently trending CVE - Hype Score: 1 - Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and ...

Submit #784462 / VDB-355388

A vulnerability labeled as problematic has been found in zephyrproject-rtos Zephyr up to 4.3. This impacts the function tcp_recv of the component TCP Connection Handler. The manipulation results in null pointer dereference. This vulnerability is identified as CVE-2026-5590. The attack can be executed remotely. There is not any exploit available.

Преподаватели бессильны перед тихим цифровым прогрессом.

嗯，用户让我帮忙总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先，我得仔细阅读文章内容。文章讲的是俄罗斯打击VPN行为导致银行系统瘫痪。看起来是因为监管机构调整防火墙策略失误，导致过滤系统过载，无法处理正常流量。银行依赖VPN进行加密连接，所以被拦截后ATM机无法取款，支付方式只能用现金。 接下来，我需要提取关键信息：俄罗斯打击VPN、银行系统瘫痪、ATM机无法取款、现金支付为主、监管机构调整防火墙策略失误导致过载。这些是主要点。 然后，我要把这些信息浓缩成一句话，不超过一百个字。要确保涵盖事件原因和影响。 可能的结构是：俄罗斯打击VPN导致银行系统瘫痪，ATM无法取款，现金支付为主。原因是监管机构调整防火墙策略失误，导致过滤系统过载。 检查一下字数是否在限制内，并且表达清晰。这样应该能满足用户的需求。 俄罗斯因打击VPN行为导致全国银行系统瘫痪，ATM机无法取款，支付方式仅限现金。此事件系监管机构调整防火墙策略失误引发过滤系统过载所致。

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

好的，我现在需要帮用户总结这篇文章的内容，控制在100字以内。首先，我得快速浏览文章，抓住主要信息。 文章讲的是网络安全研究人员发现了36个恶意npm包，伪装成Strapi CMS插件。这些包有不同的payload，用于攻击Redis和PostgreSQL，部署反向shell，收集凭证等。包名都以“strapi-plugin-”开头，看起来像官方插件。恶意代码在postinstall脚本中执行，不需要用户交互。 接下来是攻击的阶段：从Redis RCE到Docker逃逸，再到侦察、数据收集、数据库访问和持久访问。这些攻击可能针对加密货币平台。同时提到了其他供应链攻击的例子，如GitHub和npm的恶意包。 最后提到软件供应链攻击已成为主要威胁，攻击者利用可信供应商和开源软件来扩大影响。 现在我要把这些要点浓缩到100字以内：恶意npm包伪装成Strapi插件，包含恶意payload用于攻击Redis/PostgreSQL、部署反向shell、收集凭证等。包名类似官方插件，通过postinstall脚本执行。攻击者从激进手段转向侦察和数据收集，最终实现持久访问。这可能是一起针对加密货币平台的定向攻击。 研究人员发现36个伪装成Strapi CMS插件的恶意npm包，包含针对Redis和PostgreSQL的漏洞利用、反向shell部署、凭证收集及持久化植入等payload。这些包通过相似命名迷惑开发者，并利用postinstall脚本在安装时自动执行恶意代码。攻击者从激进手段转向侦察与数据收集，并最终实现持久化访问。这可能是一起针对加密货币平台的定向攻击。

Взломщики нашли способ задеть за живое каждого.

A vulnerability, which was classified as problematic, was found in Apple visionOS. This vulnerability affects unknown code of the component iFrame Handler. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. This vulnerability is registered as CVE-2024-44187. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

A vulnerability has been found in Apple iOS and iPadOS and classified as problematic. This issue affects some unknown processing of the component iFrame Handler. The manipulation leads to permissive cross-domain policy with untrusted domains. This vulnerability is documented as CVE-2024-44187. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability was found in Apple watchOS and classified as problematic. Impacted is an unknown function of the component iFrame Handler. The manipulation results in permissive cross-domain policy with untrusted domains. This vulnerability is reported as CVE-2024-44187. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability was found in Apple Safari. It has been classified as problematic. The affected element is an unknown function of the component iFrame Handler. This manipulation causes permissive cross-domain policy with untrusted domains. This vulnerability appears as CVE-2024-44187. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, was found in Apple macOS up to 13.6/14.6. The affected element is an unknown function of the component File Handler. The manipulation results in path traversal. This vulnerability is cataloged as CVE-2024-44190. The attack must be initiated from a local position. There is no exploit available. You should upgrade the affected component.

A vulnerability classified as critical was found in Apple Xcode. The impacted element is an unknown function of the component Bluetooth. The manipulation results in improper authorization. This vulnerability is identified as CVE-2024-44191. The attack is only possible with local access. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability, which was classified as critical, has been found in Apple macOS. This affects an unknown function of the component Bluetooth. This manipulation causes improper authorization. This vulnerability is tracked as CVE-2024-44191. The attack is restricted to local execution. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Apple tvOS. This impacts an unknown function of the component Bluetooth. Such manipulation leads to improper authorization. This vulnerability is listed as CVE-2024-44191. The attack must be carried out locally. There is no available exploit. You should upgrade the affected component.

A vulnerability has been found in Apple visionOS and classified as critical. Affected is an unknown function of the component Bluetooth. Performing a manipulation results in improper authorization. This vulnerability is cataloged as CVE-2024-44191. The attack must be initiated from a local position. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in Apple iOS and iPadOS and classified as critical. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Executing a manipulation can lead to improper authorization. This vulnerability is registered as CVE-2024-44191. The attack needs to be launched locally. No exploit is available. It is suggested to upgrade the affected component.