Aggregator

В Москве выбрали лучший проект по автомобильной киберзащите.

A vulnerability was found in Pocketmags Classic Racer. It has been rated as critical. Affected by this issue is some unknown functionality of the component X.509 Certificate Handler. The manipulation leads to cryptographic issues. This vulnerability is handled as CVE-2014-7535. The attack needs to be done within the local network. There is no exploit available.

加拿大多伦多大学的 Geoffrey E. Hinton 教授因在 AI 神经网络上的基础性工作而获得了 2024 年度的诺贝尔物理学家，在 AI 上的工作也让他赢得了 AI 教父的美名。他在周二的演讲中特别称赞了一名学生——前 OpenAI 首席科学家 Ilya Sutskever——参与解雇了 CEO Sam Altman 的行动。Hinton 教授说，我特别幸运，有许多非常聪明的学生——比我更聪明——他们完成了真正的工作。他们之后都取得了杰出的成就。我尤其为其中一名学生解雇 Sam Altman 而自豪。Ilya Sutskever 所在的 OpenAI 董事会去年底做出了解雇这家炙手可热 AI 创业公司 CEO 的决定，但这次行动最终未取得成功，Sam Altman 恢复了 CEO 职位，包括 Sutskever 在内的主要参与者在一年之内都离开了 OpenAI。

电信巨头康卡斯特（Comcast）正在通知受金融商业和消费者解决方案公司（FBCS）数据泄露事件影响的约 23.8万名客户。 FBCS 是一家第三方债务催收机构，它收集客户的个人信息，以便代表这些客户开展债务催收活动。 今年 4 月，Financial Business and Consumer Solutions (FBCS) 披露了一起数据泄露事件，1,955,385 人可能受到影响。后来，该公司确定受该事件影响的人数超过 425 万。 该机构于 2024 年 2 月 26 日发现未经授权的访问，并立即采取措施保护受影响的基础设施，同时在第三方取证专家的帮助下展开调查。 据该机构称，被泄露的信息可能包括姓名、出生日期、社会安全号和账户信息。 该机构发现，未经授权的访问发生在 2024 年 2 月 14 日至 2 月 26 日之间。 “2024 年 2 月 26 日，FBCS 发现其网络中的某些系统遭到未经授权的访问。这次事件没有影响到 FBCS 网络以外的计算机系统，包括其客户的计算机系统。”数据泄露通知中写道。“调查确定，在 2024 年 2 月 14 日至 2 月 26 日期间，该环境受到了未经授权的访问，未经授权的行为者有能力在访问期间查看或获取 FBCS 网络上的某些信息。” 据 FBCS 所知，在此次事件之后，没有任何暴露的信息被滥用。自 2024 年 4 月 4 日起，该机构开始通知受影响的客户。 该公司为可能受到影响的个人提供 12 个月的免费信用监控服务。 电信供应商 Comcast 是受此次事件影响的 FBCS 客户之一。 康卡斯特正在通知近 23.8 万人，他们的个人信息在 FBCS 的安全漏洞事件中遭到泄露。 根据康卡斯特公司与缅因州总检察长办公室共享的数据泄露通知函，此次数据泄露事件影响到 237703 名现有客户和前客户。 2024年3月13日，FBCS通知Comcast，它经历了一次数据泄露事件，但Comcast的消费者数据并未受到影响。然而，2024 年 7 月 17 日，FBCS 通知 Comcast 其新的调查结果，即 Comcast 的数据受到了影响。 FBCS 提供了以下信息： 2024 年 2 月 14 日至 2 月 26 日期间，一名未经授权的人员进入了 FBCS 的计算机网络和部分计算机。在此期间，该未经授权方下载了 FBCS 系统中的数据，并作为勒索软件攻击的一部分对一些系统进行了加密。 2024 年 2 月 26 日发现攻击后，FBCS 在第三方网络安全专家的协助下展开了调查。在调查过程中，FBCS 发现未经授权方下载的文件包含个人信息，其中包括您的个人信息。FBCS 还向联邦调查局（FBI）通报了这一攻击事件 这起安全事件完全发生在 FBCS，而不是 Xfinity 或 Comcast 系统。 FBCS 通知 Comcast：“由于其目前的财务状况，无法再向受此次事件影响的个人提供通知或信用监控保护。因此，我们将直接与您联系并提供支持服务。FBCS 收到您的信息是因为他们之前曾为 Comcast 提供拖欠付款的相关催收服务，直到 2020 年 Comcast 停止与 FBCS 合作。由于 FBCS 受康卡斯特与 FBCS 工作关系之外的数据保留要求的限制，因此有关您的被泄露信息的时间约为 2021 年。” 被泄露的数据包括： 姓名、地址、社会保险号、出生日期以及客户的 Comcast 账号和 FBCS 内部使用的 ID 号。 FBCS 指出，没有迹象表明在此次事件中泄露的任何个人信息被进一步滥用。 Comcast 向受影响的客户提供为期一年的信用监控和身份保护服务。     转自安全客，原文链接：https://www.anquanke.com/post/id/300706 封面来源于网络，如有侵权请联系删除

A vulnerability was found in Mycfnuke Cf Nuke up to 4.6. It has been rated as problematic. This issue affects some unknown processing of the file index.cfm. The manipulation of the argument cat leads to basic cross site scripting. The identification of this vulnerability is CVE-2005-4075. The attack may be initiated remotely. Furthermore, there is an exploit available.

Critical Infrastructure Firms Are Hiring - and Paying Well
As digital transformation continues to reshape industries, the convergence of operational technology and cybersecurity has emerged as a critical area of focus. But there's a noticeable gap in the workforce. Professionals who truly understand both OT and cybersecurity are in short supply.

Justice Department Aiming to Emphasize Privacy and Security in AI Deployment
The U.S. Department of Justice is drafting new guidelines for law enforcement on the use of artificial intelligence and facial recognition tools to enhance public safety while safeguarding civil rights and ensuring ethical deployment, a senior official said Wednesday.

WestCap-Led Funding to Drive Click-Fraud Protection, Ad Integrity Expansion
Human Security's recent $50 million growth funding, led by WestCap, will drive the development of click-fraud defense and enhance advertising integrity solutions. CEO Stu Solomon aims to leverage the funding for scaling the engineering and data science teams, addressing emerging fraud threats.

Hotel Chain Also Settles with Federal Trade Commission
The world's largest hotel chain agreed Wednesday to pay $52 million and agree to two decades of third-party monitoring of its cybersecurity program to settle a rash of data breaches affecting millions of guests. The multi-million payout is part of a settlement reached with 50 U.S. attorneys general.

Cyber Bill Says the Government Can't Use Information to Prosecute Victims
Ransom payments are typically tightly held secrets between cybercriminals and their victims, but the Australian government has introduced a cybersecurity bill in Parliament that would require require larger businesses to report ransom payments to the government.

A vulnerability was found in libarchive up to 3.7.4 and classified as problematic. Affected by this issue is the function execute_filter_delta of the file archive_read_support_format_rar.c. The manipulation leads to out-of-bounds read. This vulnerability is handled as CVE-2024-48958. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in libarchive up to 3.7.4 and classified as problematic. Affected by this vulnerability is the function execute_filter_audio of the file archive_read_support_format_rar.c. The manipulation leads to out-of-bounds read. This vulnerability is known as CVE-2024-48957. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Fortra Robot Schedule Enterprise Agent up to 3.04. Affected is an unknown function of the component FTP. The manipulation leads to sensitive information in log files. This vulnerability is traded as CVE-2024-8264. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Elliptic Package up to 6.5.5 on Node.js. This issue affects the function verify in the library lib/elliptic/eddsa/index.js. The manipulation leads to Privilege Escalation. The identification of this vulnerability is CVE-2024-48949. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in LemonLDAP::NG up to 2.19.2. This vulnerability affects unknown code of the component Login Page. The manipulation of the argument username leads to cross site scripting. This vulnerability was named CVE-2024-48933. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Syracom Secure Login Plugin up to 3.1.4.5 on Jira/Confluence/Bitbucket. This affects an unknown part of the file plugins/servlet/twofactor/public/pinvalidation of the component 2FA PIN Handler. The manipulation leads to improper restriction of excessive authentication attempts. This vulnerability is uniquely identified as CVE-2024-48942. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Syracom Secure Login Plugin up to 3.1.4.5 on Jira. It has been rated as critical. Affected by this issue is some unknown functionality of the file /rest. The manipulation leads to improper access controls. This vulnerability is handled as CVE-2024-48941. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in open-webui up to 0.3.8. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/v1/documents/ of the component API Endpoint. The manipulation leads to improper privilege management. This vulnerability is known as CVE-2024-7048. The attack can be launched remotely. There is no exploit available.

在 Livewire 中发现了一个新发现的漏洞 CVE-2024-47823，Livewire 是 Laravel 的一个流行全栈框架，用于在不离开 PHP 的情况下构建动态 UI 组件。该安全漏洞的 CVSS 得分为 7.7，允许攻击者利用文件上传，在受影响的系统上实现远程代码执行 (RCE)。 Livewire 与 Laravel 无缝集成，简化了动态用户界面的开发。然而，在 v3.5.2 之前的版本中，Livewire 处理文件上传的方式存在重大缺陷。 在这些存在漏洞的版本中，上传文件的文件扩展名是根据其 MIME 类型猜测的，而不是根据其实际文件扩展名进行验证。这意味着攻击者可以上传具有有效 MIME 类型（如 image/png）的文件，但使用 .php 等危险的文件扩展名。如果系统的网络服务器被配置为执行 PHP 文件，这个漏洞就为远程代码执行打开了大门。 报告该漏洞的安全研究员杰里米-安热尔（Jeremy Angele）描述了攻击者如何在特定条件下利用 Livewire 漏洞： 在概念验证（PoC）场景中，Angele演示了攻击者如何上传名为shell.php、MIME类型为image/png的文件。上传文件后，攻击者可以通过浏览器访问该文件来触发文件的执行，从而获得对服务器的远程访问权限。 Livewire 3.5.2 版修补了 CVE-2024-47823 漏洞。该补丁包括在上传过程中对文件扩展名进行更严格的验证，确保阻止 MIME 类型和扩展名不匹配的文件。 为保护您的系统，立即更新到最新版本的 Livewire 至关重要。此外，还建议开发人员配置网络服务器，防止在公共目录中执行 PHP，并在上传文件时彻底验证 MIME 类型和文件扩展名。     转自安全客，原文链接：https://www.anquanke.com/post/id/300711 封面来源于网络，如有侵权请联系删除

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to a case of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. "A