Aggregator

A vulnerability classified as critical was found in Apple Safari up to 13.0.4. This vulnerability affects unknown code of the component WebKit. The manipulation leads to memory corruption. This vulnerability was named CVE-2020-3825. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Apple Safari up to 13.0.4. This issue affects some unknown processing of the component WebKit. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2020-3868. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple Safari up to 13.0.4. It has been classified as critical. Affected is an unknown function. The manipulation leads to authentication bypass by spoofing. This vulnerability is traded as CVE-2020-3833. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple Safari up to 13.0.4. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper privilege management. This vulnerability is known as CVE-2020-3852. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in rubygem up to 0.12.x. It has been declared as critical. This vulnerability affects unknown code of the component Dashboard. The manipulation of the argument direction leads to improper neutralization of special elements in data query logic. This vulnerability was named CVE-2020-5257. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in reveal.js up to 3.9.1. Affected by this vulnerability is an unknown functionality. The manipulation of the argument postMessage leads to cross site scripting. This vulnerability is known as CVE-2020-8127. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in rhdm and rhpam 7.5.1. Affected by this issue is some unknown functionality. The manipulation leads to authentication bypass by spoofing (Base64). This vulnerability is handled as CVE-2019-14886. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Smartbear ReadyAPI and SoapUI. It has been classified as critical. This affects an unknown part of the component Groovy Handler. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2019-12180. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Microsoft Remote Desktop Connection Manager 2.7. This issue affects some unknown processing. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2020-0765. The attack may be initiated remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in RegistrationMagic Plugin 4.6.0.0 on WordPress. It has been classified as problematic. Affected is an unknown function. The manipulation of the argument rm_form_id/rm_tr/form_name as part of Parameter leads to cross site scripting. This vulnerability is traded as CVE-2020-8436. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Central Dogma. It has been classified as critical. This affects an unknown part of the component Mirroring Handler. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2021-38388. The attack needs to be done within the local network. There is no exploit available.

A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. This vulnerability is handled as CVE-2025-4553. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/bwdates-passreports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. This vulnerability is uniquely identified as CVE-2025-4554. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in WP Finance Plugin up to 1.3.6 on WordPress. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2024-13096. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Responsive iframe Plugin up to 1.2.0 on WordPress. It has been rated as problematic. This issue affects some unknown processing of the component Block Option Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-12768. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in WP Finance Plugin up to 1.3.6 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-13097. The attack can be launched remotely. There is no exploit available.

HackerNews 编译，转载请注明出处： 谷歌同意向美国德克萨斯州支付13.75亿美元（约合人民币100亿元），就两起涉嫌非法追踪用户位置与违规收集生物识别数据的诉讼达成和解。这是继2024年7月与Meta（原Facebook）就非法面部识别数据使用达成14亿美元和解后，德州总检察长肯·帕克斯顿在科技巨头监管领域的又一重大胜利。 根据德州总检察长办公室发布的声明，此次和解涉及谷歌在用户关闭“位置历史记录”情况下仍秘密追踪地理位置、收集无痕搜索数据，以及通过谷歌照片服务非法获取生物识别数据（声纹与面部特征）等多项指控。此前同类案件中，全美40个州联合诉讼仅获3.91亿美元和解，加州单独诉讼金额为9300万美元，此次德州和解金额超历史总和。 “在德州，科技巨头没有法外特权。多年来，谷歌通过产品服务秘密追踪用户行踪、私人搜索甚至生物特征。我们通过多年诉讼最终赢得这场战役，”帕克斯顿表示，“这13.75亿美元和解金是对企业滥用用户信任的严厉警示，我将持续保护德州民众隐私免受科技巨头侵害。” 谷歌在声明中否认存在不当行为，称相关产品政策早已调整。发言人何塞·卡斯塔内达表示：“此次和解主要涉及多年前已修正的旧版产品功能，包括Chrome无痕模式提示、谷歌地图位置披露条款及照片生物识别数据处理方式。我们将继续加强服务中的隐私控制。” 技术细节显示，作为和解协议的一部分，谷歌将于2024年12月1日起调整地图时间线功能——相关数据将仅存储于用户设备本地，停止云端同步并关闭网页端访问权限。用户需下载移动端谷歌地图应用方可继续使用该功能。 此次和解创下美国州政府单起隐私诉讼最高赔偿纪录。2024年以来，德州通过三起科技巨头隐私诉讼累计获赔超21亿美元，包括： 2024年1月：谷歌支付700万美元和解非法收集未成年人声纹数据诉讼 2024年7月：Meta支付14亿美元和解非法面部识别数据收集案 2024年8月：本起13.75亿美元谷歌隐私和解案 法律专家指出，德州通过修订《生物识别数据隐私法》与《数据隐私与安全法案》，构建了全美最严苛的数据保护体系。该州总检察长办公室设有专职技术侦查部门，配备逆向工程专家与数字取证团队，为诉讼提供技术支持。       消息来源：securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as very critical was found in Oracle Healthcare Master Person Index up to 5.0.4. Affected by this vulnerability is an unknown functionality of the component Self Service Analytics. The manipulation leads to code injection. This vulnerability is known as CVE-2022-42889. The attack can be launched remotely. Furthermore, there is an exploit available.