Aggregator

Простой баг стал отправной точкой для масштабной кибератаки.

A vulnerability, which was classified as critical, was found in FAST FW300R 1.3.13. Affected is an unknown function of the component File Path Handler. The manipulation leads to stack-based buffer overflow. This vulnerability is traded as CVE-2024-41285. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Tenda AX1806 1.0.0.1. This issue affects the function formGetIptv. The manipulation of the argument iptv.stb.mode leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2024-44553. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as critical was found in Tenda AX1806 1.0.0.1. This vulnerability affects the function formGetIptv. The manipulation of the argument adv.iptv.stbpvid leads to stack-based buffer overflow. This vulnerability was named CVE-2024-44550. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in Tenda AX1806 1.0.0.1. This affects the function setIptvInfo. The manipulation of the argument iptv.city.vlan leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-44555. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Tenda AX1806 1.0.0.1. It has been rated as critical. Affected by this issue is the function formGetIptv. The manipulation of the argument adv.iptv.stballvlans leads to stack-based buffer overflow. This vulnerability is handled as CVE-2024-44552. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in fastapi-admin pro 0.1.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument Product Name leads to cross site scripting. This vulnerability is known as CVE-2024-42818. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in Tenda AX1806 1.0.0.1. It has been classified as critical. Affected is the function formGetIptv. The manipulation of the argument iptv.city.vlan leads to stack-based buffer overflow. This vulnerability is traded as CVE-2024-44551. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in gVectors Team wpForo Forum Plugin up to 2.3.4 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2024-43289. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Tenda AX1806 1.0.0.1 and classified as critical. This vulnerability affects the function setIptvInfo. The manipulation of the argument iptv.stb.mode leads to stack-based buffer overflow. This vulnerability was named CVE-2024-44557. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Tenda AX1806 1.0.0.1. This affects the function formGetIptv. The manipulation of the argument iptv.stb.port leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2024-44549. It is possible to initiate the attack remotely. There is no exploit available.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has imposed a fine of  €290,000,000 ($325 million) on Uber Technologies Inc. and Uber B.V. over GDPR violations. [...]

Versa Networks has fixed a zero-day vulnerability exploited in the wild that allows attackers to upload malicious files by exploiting an unrestricted file upload flaw in the Versa Director GUI. [...]

Взлом защищённых систем – лишь начало хитроумной игры хакеров.

法国总统马克龙（Emmanuel Macron）周一表示，周六晚上对 Telegram 创始人兼 CEO Pavel Durov 的逮捕不涉及政治动机。Durov 是在乘坐私人飞机抵达巴黎之后被拘留的。马克龙称，对 Telegram CEO 的逮捕是正在进行的调查的一部分，由法官决定，无关政治。整个行动是由司法部门和调查人员处理的。Pavel Durov 目前仍然处于警方拘留状态。Telegram 被控与贩毒、恐怖主义和网络霸凌等一系列事件相关。Telegram 则发表声明声称该公司遵守欧盟法律。马克龙表示，在一个法治国家，无论是在社交网络还是在现实生活中，自由都是在法律建立的框架内行使的，以保护公民并尊重其基本权利。司法系统是独立的执行法律。

Обвинения против Дурова ставят платформу под угрозу закрытия.

Texas Credit Union Only Just Notifying 500,000 Members About May 2023 Data Theft
Fifteen months after a massive supply-chain attack hit users of MOVEit secure file-transfer software, Texas Dow Employees Credit Union has issued a data breach notification pertaining to 500,474 victims, saying it only discovered last month their personally identifiable information got stolen.

SecWiki周刊（第547期) by ourren

在野漏洞的应急响应流程 by 洞源实验室

更多最新文章，请访问SecWiki

Загадочный AI-браузер готовится к выходу.

尽管美国的制裁旨在限制中国在 AI 上取得进展，但中国科技巨头今年在 AI 基础设施上大举投资，资本支出翻了一番。阿里巴巴、腾讯和百度今年上半年合计资本支出 500 亿元人民币，而去年同期为 230 亿元人民币。这几家集团表示，支出重点是购买处理器和基础设施，为 AI 的大型语言模型训练提供支持，包括它们自己的模型和其他公司的模型。TikTok 母公司字节跳动也增加了 AI 支出，它是非上市公司，不受投资者审查，拥有逾 500 亿美元现金储备。阿里巴巴上半年资本支出 230 亿元人民币，比去年同期增长 123%。尽管美国限制向中国出售最先进的 AI 芯片，但中国科技公司正大量采购允许出口的芯片如英伟达的 H20。英伟达未来几个月将向中国公司出口逾百万个价格在 1.2-1.3 万美元的 AI 芯片，它主要的客户是字节跳动。字节跳动除了购买 H20 用于中国的数据中心，还在马来西亚的 Johor 与合作伙伴建造数据中心。腾讯今年上半年资本支出 230 亿元人民币，同比增长 176%。百度的 AI 支出相当克制，它上半年支出 42 亿元人民币，同比增长 4%。