A week in security (July 28 – August 3)
OpenAI移除对话搜索功能;特朗普政府推动医疗数据自愿上传;佛州监狱泄露访客信息;骗子利用错误短信诱骗;苹果修复29个安全漏洞。
Aggregator
实战指“北” | 2025 CSOP北京站议程揭晓
1 month 1 week ago
2025年8月21日,CSOP 北京站议程公开!
Microsoft PlayReady DRM Used by Netflix, Amazon, and Disney+ Leaked Online
1 month 1 week ago
A significant security breach has compromised Microsoft’s PlayReady Digital Rights Management (DRM) system, exposing critical certificates that protect premium streaming content across major platforms including Netflix, Amazon Prime Video, and Disney+. The leak, which surfaced on GitHub through an account named “Widevineleak,” has triggered immediate responses from both Microsoft and affected streaming services, highlighting the […]
The post Microsoft PlayReady DRM Used by Netflix, Amazon, and Disney+ Leaked Online appeared first on Cyber Security News.
Tushar Subhra Dutta
Cursor IDE: Arbitrary Data Exfiltration Via Mermaid (CVE-2025-54132)
1 month 1 week ago
文章描述了AI代码编辑器Cursor中的一个数据外泄漏洞:通过Mermaid图表渲染功能,攻击者可窃取用户记忆或API密钥。作者展示了两个演示案例,并最终修复了该问题(CVE-2025-54132)。
Cursor IDE: Arbitrary Data Exfiltration Via Mermaid (CVE-2025-54132)
1 month 1 week ago
Cursor is a popular AI code editor. In this post I want to share how I found an interesting data exfiltration issue, the demo exploits built and how it got fixed.
When using Cursor I noticed that it can render Mermaid diagrams.
Cursor Renders Mermaid Diagrams If you are not familiar with Mermaid, it has a simple syntax:
graph TD User --> Computer This will create a diagram as follows:
NIS 2 e multicompliance: strategie integrate per la cyber security aziendale
1 month 1 week ago
NIS 2指令通过整合网络安全与数据保护要求,推动企业从分散合规转向整体治理策略。结合GDPR、AI Act和Cyber Resilience Act等法规,企业需优化资源管理、提升风险评估能力,并构建统一框架以应对多法规挑战。
CrowdStrike investigated 320 North Korean IT worker cases in the past year
1 month 1 week ago
Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report.
The post CrowdStrike investigated 320 North Korean IT worker cases in the past year appeared first on CyberScoop.
Matt Kapko
浅谈威胁情报技术
1 month 1 week ago
当前环境异常,需完成验证后方可继续访问。
浅谈威胁情报技术
1 month 1 week ago
/r/ReverseEngineering's Weekly Questions Thread
1 month 1 week ago
为减少噪音,社区关闭自我发帖,改为每周统一问题线程,并建议特定工具或目标相关问题转至StackExchange或r/AskReverseEngineering.
守护孩子的天马行空:美术专业就能做好幼儿美育启蒙吗?
1 month 1 week ago
文章探讨了专业美术背景者在幼儿美育启蒙中的挑战与反思。指出专业美术注重技法与结果,而启蒙更关注孩子的想象力、表达与情感体验。强调父母应支持孩子自由创作,避免用成人标准干预其创作过程,并通过引导帮助孩子发现与表达对世界的认知与感受。
CVE-2025-8529 | cloudfavorites favorites-web up to 1.3.0 CollectController.java getCollectLogoUrl url server-side request forgery (Issue 134)
1 month 1 week ago
A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery.
This vulnerability is known as CVE-2025-8529. The attack can be launched remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2025-8528 | Exrick xboot up to 3.3.4 getMenuList sensitive information in a cookie (Issue 69)
1 month 1 week ago
A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie.
This vulnerability is traded as CVE-2025-8528. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2025-8527 | Exrick xboot up to 3.3.4 Swagger SecurityController.java loginUrl server-side request forgery
1 month 1 week ago
A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery.
The identification of this vulnerability is CVE-2025-8527. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2025-8526 | Exrick xboot up to 3.3.4 UploadController.java upload File unrestricted upload (Issue 71)
1 month 1 week ago
A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload.
This vulnerability was named CVE-2025-8526. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2025-8525 | Exrick xboot up to 3.3.4 Spring Boot Admin/Spring Actuator information disclosure (Issue 72)
1 month 1 week ago
A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure.
This vulnerability is uniquely identified as CVE-2025-8525. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
vuldb.com
Submit #622176: cloudfavorites https://github.com/cloudfavorites/favorites-web <=1.3.0 SSRF [Accepted]
1 month 1 week ago
Submit #622176 / VDB-318655
ZAST.AI
2024 年国际 C语言混乱代码大赛公布获奖结果
1 month 1 week ago
2024 年第 28 届国际 C 语言混乱代码大赛(IOCCC, The International Obfuscated C Code Contest)公布了获奖作品,其中包括 OpenRISC 32 位 CPU 模拟器、能运行 Doom 的虚拟机,号称世界最小的大模型推理引擎(基于 70 亿参数的 Meta 开源模型 LLaMA 2),等等。IOCCC 是一项国际程序设计赛事,旨在写出最有创意和最让人难以理解的 C 语言代码。从 1984 年开始,该赛事基本每年举办一次,但有过多次中断,IOCCC28 是为了纪念比赛创办 40 周年。
Submit #622175: Exrick https://github.com/Exrick/xboot <=3.3.4 User's Sensitive Information is included in Cookies [Accepted]
1 month 1 week ago
Submit #622175 / VDB-318654
ZAST.AI
Submit #622174: Exrick https://github.com/Exrick/xboot <=3.3.4 SSRF [Accepted]
1 month 1 week ago
Submit #622174 / VDB-318653
ZAST.AI