Aggregator

A vulnerability classified as critical has been found in GitLab Community Edition and Enterprise Edition up to 17.8.6/17.9.5/17.10.3. Affected is an unknown function of the component CI Pipeline Export Handler. The manipulation leads to allocation of resources. This vulnerability is traded as CVE-2025-1677. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 17.8.6/17.9.5/17.10.3 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper restriction of rendered ui layers. This vulnerability is handled as CVE-2025-0362. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in themefusecom Brizy Plugin up to 2.6.14 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-32198. It is possible to initiate the attack remotely. There is no exploit available.

一个黑客社区，帮助新手成长为专家，提供技能学习和交流平台。

本文详细介绍了柜机和挂机空调的选购指南，包括匹数选择、外机散热技术、APF能效等级等关键参数，并推荐了小米、华凌、海尔等品牌的优质产品。

1.Qilin勒索团伙公布了新的受害者 2.Play勒索团伙公布新的受害公司 3.INC Ransom勒索团伙公布新的受害公司

当前环境异常，需完成验证后继续访问。

A vulnerability was found in Google Android. It has been declared as critical. This vulnerability affects the function tun_get_user of the file tun.c. The manipulation leads to memory corruption. This vulnerability was named CVE-2021-0342. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as critical was found in MediaWiki up to 1.36.1 on Special:Search. This vulnerability affects unknown code of the component Search Result Handler. The manipulation leads to cross site scripting. This vulnerability was named CVE-2021-41798. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.10.139/5.15.63/5.19.5. It has been declared as problematic. This vulnerability affects the function tnum_range of the component bpf. The manipulation leads to out-of-bounds read. This vulnerability was named CVE-2022-49985. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle MySQL Server up to 8.0.21 and classified as critical. Affected by this issue is some unknown functionality of the component PS. The manipulation leads to denial of service. This vulnerability is handled as CVE-2020-14786. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.15.60/5.18.17/5.19.1. It has been rated as critical. This issue affects the function remove of the component soundwire. The manipulation leads to null pointer dereference. The identification of this vulnerability is CVE-2022-50144. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in MediaWiki up to 1.35.7/1.37.4/1.38.2. This issue affects some unknown processing. The manipulation of the argument HTMLUserTextField leads to information disclosure. The identification of this vulnerability is CVE-2022-41765. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Linux Kernel up to 6.1.6 and classified as critical. This vulnerability affects unknown code of the component arm-smmu. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2022-48895. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.

喜 报我刊入选中国科学引文数据库(Chinese Science Citation Database，简称C

HackerNews 编译，转载请注明出处： 应用安全公司PortSwigger研究主管詹姆斯·凯特尔（James Kettle）在周三举行的黑帽大会上公布了一种新型攻击方法。凯特尔与多名研究人员（包括漏洞赏金猎人团队）合作，识别受影响机构并告知其风险。 HTTP请求走私（亦称去同步攻击）利用Web服务器处理HTTP请求时的解析差异，使攻击者能将恶意请求“夹带”在合法请求中。该问题源于服务器（通常是充当负载均衡器或代理的前端服务器，与托管网站的后端服务器）如何界定HTTP请求结束及下一请求开始的位置。 攻击者可构造特殊请求，使其通过前端服务器转发至后端服务器，并诱使后端服务器误判该请求长度小于实际值，导致请求的残留部分滞留于连接缓冲区，并附加到后续请求中。攻击者可精心设计请求，确保恶意片段残留在连接缓冲区中，并附加到紧随其后的合法用户请求上。此类请求可被用于窃取受害者会话、将受害者重定向至虚假（钓鱼）网站、污染Web缓存以诱导服务器存储恶意页面并分发给其他用户。 HTTP请求走私漏洞存在已逾二十年，自2016年以来至少发现六种新变体。凯特尔发现的新变体利用HTTP/1.1协议弱点，涉及名为0.CL（CL.0的变种）的攻击手法。 凯特尔等人识别出多台受影响服务器，包括T-Mobile非生产服务器（该公司为此支付1.2万美元漏洞赏金）、暴露漏洞赏金报告提交内容的GitLab服务器（支付7000美元赏金）以及Netlify的CDN系统。研究人员随后发现多数目标使用Akamai的CDN服务，进一步分析证实根本原因在于Akamai基础设施漏洞。该公司将漏洞编号为CVE-2025-32094并迅速启动修复。Akamai支付9000美元赏金，并于周三发布技术细节博文。 凯特尔指出，此攻击导致几乎所有使用Akamai的企业（包括科技巨头、美国政府机构和SaaS提供商）面临用户凭证大规模泄露风险。Cloudflare也受到另一类基于HTTP/1.1弱点的请求走私攻击影响。研究人员发现，攻击者可操控受Cloudflare保护的数百万网站访问者重定向至其控制的站点。Cloudflare紧急修复该漏洞并支付7000美元赏金，同时发布博文详述问题及解决方案。 研究人员总计向数十家企业报告发现，获得漏洞赏金共27.6万美元。凯特尔在周三发布的博文中呼吁行业尽快从HTTP/1.1迁移至HTTP/2+协议，以从根本上解决此类攻击所依赖的协议缺陷。       消息来源：securityweek； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

文章描述了一个错误代码（521）的情况，通常与Cloudflare服务相关，表示服务器暂时无法提供服务。

A vulnerability was found in Microsoft Exchange Server and classified as critical. This issue affects some unknown processing. The manipulation leads to improper authentication. The identification of this vulnerability is CVE-2025-53786. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in libgcrypt and classified as problematic. Affected by this issue is some unknown functionality of the component RSA. The manipulation leads to observable timing discrepancy. This vulnerability is handled as CVE-2024-2236. The attack may be launched remotely. There is no exploit available.

微软和GitHub更新Visual Studio Code，加入GPT-5预览版功能，帮助开发者使用OpenAI旗舰模型编码。目前仅限GitHub Copilot付费用户使用，企业订阅需IT管理员批准。