Aggregator

A vulnerability has been found in servo rust-url 0.x and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper validation of unsafe equivalence in input. This vulnerability was named CVE-2024-12224. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Apple macOS up to 13.6/14.6/15.3. This affects an unknown part of the component User Information Handler. The manipulation leads to improper authentication. This vulnerability is uniquely identified as CVE-2025-31264. It is possible to launch the attack on the physical device. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Apple macOS up to 13.6/14.6/15.3. Affected by this issue is some unknown functionality of the component App. The manipulation leads to permission issues. This vulnerability is handled as CVE-2025-31261. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple iOS and iPadOS. It has been rated as problematic. This issue affects some unknown processing of the component App. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2025-31199. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Apple macOS. Affected is an unknown function of the component App. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-31199. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Apple visionOS. Affected by this vulnerability is an unknown functionality of the component App. The manipulation leads to information disclosure. This vulnerability is known as CVE-2025-31199. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS up to 13.6/14.6/15.3. It has been declared as critical. This vulnerability affects unknown code of the component File Quarantine. The manipulation leads to improper access controls. This vulnerability was named CVE-2025-31189. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Santesoft Sante DICOM Viewer Pro up to 14.2.1. It has been classified as critical. This affects an unknown part. The manipulation leads to out-of-bounds read. This vulnerability is uniquely identified as CVE-2025-5307. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Policy Plugin up to 0.1.0 on Discourse and classified as problematic. Affected by this issue is some unknown functionality of the component Private Group Handler. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2025-47288. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Apple macOS up to 13.6/14.6/15.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Symlink Handler. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-31198. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Apple Safari. Affected is an unknown function. The manipulation leads to permissive cross-domain policy with untrusted domains. This vulnerability is traded as CVE-2025-30466. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

MySQL 中 varchar(64) 采用 UTF-8 编码时的存储能力可通过以下维度分析： 一、存储汉字 […]

SentinelOne, a leading AI-powered cybersecurity company, experienced a significant global platform outage on May 29, 2025, that affected commercial customers worldwide for approximately six hours. The incident impacted multiple services on SentinelOne’s Singularity platform, including endpoint protection, extended detection and response (XDR), cloud security, and identity protection services. The outage began early Thursday morning, with […]

The post SentinelOne Outage: Services Restored After Hours-Long Platform Disruption appeared first on Cyber Security News.

1.Qilin勒索团伙公布了新的受害公司 2.Play勒索团伙公布了新的受害者 3.Blacksuit团伙公布入侵美国格洛斯特县

HackerNews 编译，转载请注明出处： IT管理软件巨头ConnectWise披露遭遇疑似国家级黑客攻击，其ScreenConnect远程工具部分云客户环境遭入侵。公司公告称：“近期发现可疑活动，经研判系复杂国家级攻击者所为，受影响ScreenConnect客户数量极少。”目前ConnectWise已联合曼迪昂特开展取证调查，并协调执法部门处理。 这家佛罗里达企业为托管服务商（MSP）提供IT管理、远程监控及网络安全解决方案，ScreenConnect作为核心产品可实现技术人员对客户系统的安全远程维护。据CRN报道，ConnectWise已实施网络强化措施并部署增强监控系统，宣称客户环境未发现后续异常活动。 尽管ConnectWise拒绝透露具体受影响客户数、入侵时间及是否观察到恶意活动，但消息人士向BleepingComputer透露：攻击实际发生于2024年8月，公司直至2025年5月才察觉，且仅波及云托管版ScreenConnect实例。MSP服务商CNWR总裁杰森·斯拉格尔证实受害者数量极少，暗示攻击者实施的是精准定向攻击。 Reddit论坛用户披露关键细节：事件与CVE-2025-3935漏洞相关。该高危漏洞影响ScreenConnect 25.2.3及更早版本，因ASP.NET ViewState反序列化缺陷导致代码注入。拥有系统特权的攻击者可窃取服务器密钥构造恶意载荷，最终实现远程代码执行。ConnectWise虽未确认漏洞遭利用，但承认已于4月24日修复该“高危”漏洞，并在公开披露前完成云平台（screenconnect.com/hostedrmm.com）补丁更新。 鉴于仅云托管实例受影响，安全专家推测攻击者可能先入侵ConnectWise系统窃取密钥，进而通过RCE控制ScreenConnect服务器渗透客户环境。多位客户向BleepingComputer投诉ConnectWise拒绝提供入侵指标（IOC）及事件细节，致使客户无法有效排查风险。值得警惕的是，ScreenConnect去年曝光的CVE-2024-1709漏洞曾被勒索团伙及朝鲜APT组织用于恶意软件攻击。       消息来源： bleepingcomputer； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

HackerNews 编译，转载请注明出处： 安全研究人员披露苹果Safari浏览器存在设计缺陷，攻击者可利用全屏模式实施“浏览器中间人攻击”（BitM）窃取用户凭证。该漏洞源于网页通过Fullscreen API进入全屏模式时，Safari缺乏明确警示机制，使恶意窗口得以隐藏地址栏并伪装成合法登录页面。 网络安全公司SquareX指出，攻击者通过滥用全屏API实现三重欺骗： 利用noVNC等开源工具在受害者会话层叠加远程控制浏览器 通过赞助广告/社交媒体推送伪造目标服务登录页链接 当用户点击登录按钮时激活隐藏的BitM窗口 典型案例显示，攻击者伪造Steam和Figma登录页诱导用户输入凭证。由于登录过程实际发生在攻击者控制的浏览器中，受害者仍能正常登录账户，难以察觉信息泄露。值得注意的是，此类攻击能规避端点检测（EDR）及安全访问服务边缘（SASE/SSE）等防护方案。 浏览器防护机制对比显示： Firefox/Chrome/Edge进入全屏时强制弹出警示框 Safari仅显示易被忽略的滑动动画 SquareX研究人员强调：“尽管所有浏览器均受影响，但Safari因缺乏视觉警示使攻击更具欺骗性。” 苹果公司收到漏洞报告后回应称“无意修复”，认为现有动画提示已足够。目前安全社区正推动苹果重新评估该决定。       消息来源： bleepingcomputer； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

The Apache Software Foundationから、Apache Tomcatの脆弱性（CVE-2025-46701）に対するアップデートが公開されました。

Consilium Safetyが提供するCS5000 Fire Panelには、複数の脆弱性が存在します。