Aggregator

一位安全研究人员利用1x1像素图像和CSRF配置错误发现并报告了一个安全漏洞。通过工具进行信息收集和漏洞挖掘后，负责任地披露了该问题。

文章描述了一位安全研究人员通过使用工具抓取目标网站的端点，并利用CSRF配置错误成功发起攻击的过程，展示了负责任漏洞披露的重要性。

How a simple blog comment can hijack your web app. Stored DOM XSS combines the danger of persistent

Stored DOM XSS是一种通过博客评论等持久输入存储恶意脚本，在客户端静默执行的攻击方式，可能导致严重安全风险。

A vulnerability was found in xpeedstudio Wp Social Login and Register Social Counter Plugin up to 3.1.0 on WordPress. It has been rated as problematic. This issue affects the function counter_access_key_setup of the component Setting Handler. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2025-1506. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in Tenda RX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/SetPptpServerCfg of the component Packet Handler. The manipulation of the argument startIp/endIp leads to denial of service. This vulnerability is known as CVE-2025-29357. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in transformeroptimus superagi up to 0.0.14. Affected is an unknown function of the file /api/users/get/{id} of the component API Endpoint. The manipulation leads to insufficiently protected credentials. This vulnerability is traded as CVE-2024-9418. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability classified as problematic has been found in binary-husky gpt_academic up to 3.9.0. This affects an unknown part of the file debug_log.html of the component Latex Proof-Reading Module. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-0183. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The identification of this vulnerability is CVE-2025-8261. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in JetBrains TeamCity and classified as problematic. Affected by this issue is some unknown functionality of the component GitHub App Connection Flow. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2025-54528. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. This vulnerability was named CVE-2025-8260. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/SetFirewallCfg of the component Packet Handler. The manipulation of the argument firewallEn leads to denial of service. This vulnerability is handled as CVE-2025-29358. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been classified as problematic. This affects an unknown part of the file /goform/saveParentControlInfo of the component Packet Handler. The manipulation of the argument deviceId leads to denial of service. This vulnerability is uniquely identified as CVE-2025-29359. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Tenda RX3 16.03.13.11_multi_TDE01. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg of the component Packet Handler. The manipulation of the argument timeZone leads to denial of service. This vulnerability was named CVE-2025-29360. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in URI Gem up to 0.11.2/0.12.3/0.13.1/1.0.2 on Ruby. It has been rated as problematic. Affected by this issue is the function URI.join/URI#merge/URI#+. The manipulation leads to improper removal of sensitive information before storage or transfer. This vulnerability is handled as CVE-2025-27221. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

文章介绍了一种无需编码的简单技巧，在15分钟内通过输入奇怪邮件地址赚取500美元漏洞赏金的方法，揭示了开发者常忽略客户端验证的漏洞。

文章介绍了一种简单高效的漏洞赏金获取方法：通过在网站注册表中输入特殊格式的电子邮件地址，利用开发者对客户端验证的疏忽，在15分钟内轻松获得$500奖励。这种方法无需编码知识，适合所有人尝试。

Aditya Sunny发现Linktree存在输入验证绕过漏洞，允许注册带前导空格的用户名。此漏洞可导致身份冒充、钓鱼攻击及信任滥用，在移动端尤为隐蔽。建议Linktree加强后端输入清理及服务器端验证以修复问题。

一位黑客在浏览Facebook广告时发现了一个隐藏的Open Redirect漏洞，并利用它发现了反射型XSS（rXSS）漏洞，在HackerOne上获得了1000美元奖励。整个过程仅耗时8分钟。该漏洞存在于流媒体平台Showmax的安全项目中，该项目已6个月未有报告。

JSON Web Token (JWT) 是一种基于 JSON 的令牌格式，用于身份验证和授权。它由三部分组成：头部（包含元数据）、载荷（包含声明）和签名（用于验证）。广泛应用于 Web 开发中以安全传输信息。