Aggregator

CVE-2025-29876 | QNAP File Station 5.5.6.4741/5.5.6.4791 null pointer dereference (qsa-25-16 / EUVD-2025-17334)

Vuldb Updates
8 months ago
A vulnerability classified as problematic was found in QNAP File Station 5.5.6.4741/5.5.6.4791. Affected by this vulnerability is an unknown functionality. The manipulation leads to null pointer dereference. This vulnerability is known as CVE-2025-29876. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-22486 | QNAP File Station 5.5.6.4741 certificate validation (qsa-25-09 / EUVD-2025-17343)

Vuldb Updates
8 months ago
A vulnerability, which was classified as critical, was found in QNAP File Station 5.5.6.4741. Affected is an unknown function. The manipulation leads to improper certificate validation. This vulnerability is traded as CVE-2025-22486. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-22490 | QNAP File Station 5.5.6.4741/5.5.6.4791 null pointer dereference (qsa-25-16 / EUVD-2025-17338)

Vuldb Updates
8 months ago
A vulnerability was found in QNAP File Station 5.5.6.4741/5.5.6.4791. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to null pointer dereference. The identification of this vulnerability is CVE-2025-22490. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-29871 | QNAP File Station 5.5.6.4741/5.5.6.4791 out-of-bounds (qsa-25-16 / EUVD-2025-17337)

Vuldb Updates
8 months ago
A vulnerability was found in QNAP File Station 5.5.6.4741/5.5.6.4791 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to out-of-bounds read. This vulnerability is handled as CVE-2025-29871. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-29873 | QNAP File Station 5.5.6.4741/5.5.6.4791 null pointer dereference (qsa-25-16 / EUVD-2025-17335)

Vuldb Updates
8 months ago
A vulnerability classified as problematic has been found in QNAP File Station 5.5.6.4741/5.5.6.4791. Affected is an unknown function. The manipulation leads to null pointer dereference. This vulnerability is traded as CVE-2025-29873. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-29872 | QNAP File Station 5.5.6.4847 allocation of resources (qsa-25-16 / EUVD-2025-17336)

Vuldb Updates
8 months ago
A vulnerability was found in QNAP File Station 5.5.6.4847. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to allocation of resources. This vulnerability is handled as CVE-2025-29872. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2025-5136 | Tmall Demo up to 20250505 Payment Identifier /tmall/order/pay/ random values

Vuldb Updates
8 months ago
A vulnerability, which was classified as problematic, was found in Tmall Demo up to 20250505. This affects an unknown part of the file /tmall/order/pay/ of the component Payment Identifier Handler. The manipulation leads to insufficiently random values. This vulnerability is uniquely identified as CVE-2025-5136. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

CVE-2024-38944 | Intelight X-1L Traffic Controller Maxtime 1.9.6 generateForm.cgi?formID=142 privilege escalation (EDB-52151)

Vuldb Updates
8 months ago
A vulnerability has been found in Intelight X-1L Traffic Controller Maxtime 1.9.6 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/generateForm.cgi?formID=142. The manipulation leads to privilege escalation. This vulnerability was named CVE-2024-38944. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com

91% noise: A look at what’s wrong with traditional SAST tools

Help Net Security
8 months ago

Traditional static application security testing (SAST) tools are falling short. That’s the key takeaway from a recent report that tested these tools against nearly 3,000 open-source code repositories. The results: more than 91% of flagged vulnerabilities were false positives. The Exorcising the SAST Demons report comes from Ghost Security, which scanned public GitHub projects in Go, Python, and PHP. The study focused on three vulnerability types commonly found in real-world apps: SQL injection, command injection, … More →

The post 91% noise: A look at what’s wrong with traditional SAST tools appeared first on Help Net Security.

Mirko Zorz

How C-suite roles are shaping the future of tech leadership

Help Net Security
8 months ago

As companies accelerate towards technology-driven business models, the tech C-suite is embracing new skills, greater influence, and a unified approach to business transformation, according to Deloitte. Top priorities for tech leaders (Source: Deloitte) With insights from a range of C-level tech leaders, including more than 600 US CIOs, CTOs, CDAOs and CISOs, the Deloitte survey found that evolving roles and responsibilities, the rise of AI, and an imperative for cross-functional collaboration are providing a new … More →

The post How C-suite roles are shaping the future of tech leadership appeared first on Help Net Security.

Help Net Security

从Snowflake攻击中窃取的Ticketmaster数据再次被出售

嘶吼
8 months ago

近期,Arkana安全勒索团伙简要列出了似乎是新被盗的Ticketmaster数据,但实际上是2024年Snowflake盗窃攻击期间被盗的数据。

该勒索组织发布了据称被盗数据的截图,并发布了超过569 GB的Ticketmaster数据出售广告,引发了人们对这是否是一次新的数据泄露的猜测。

Arkana出售的Ticketmaster数据列表

目前已经确定,Arkana帖子中显示的文件与之前在2024年Snowflake数据盗窃攻击中看到的Ticketmaster数据样本相匹配。

此外,其中一张图片的标题是“rapeflaked copy 4 quick sale 1 buyer”,这是对一种名为“RapeFlake”的工具的引用。

RapeFlake是由威胁者创建的自定义工具,用于对 Snowflake 数据库进行侦察和数据窃取。正如之前报道的那样,Snowflake攻击了许多组织,包括桑坦德银行、Ticketmaster、AT&T、Advance Auto Parts、Neiman Marcus、Los Angeles Unified、Pure Storage和Cylance。这些攻击是由一个名为ShinyHunters的勒索组织发起的,这些凭证随后被用来下载公司数据,用于勒索计划。

在Snowflake网络攻击中,Ticketmaster是被勒索最多的受害者之一,导致个人和票务信息被盗。这些数据在网上出售后,该公司在5月底确认了这一漏洞,并开始通知受影响的客户。

在最初的泄露事件后,这些威胁者通过在黑客论坛上发布他们所谓的“家庭打印”门票,甚至声称是泰勒·斯威夫特的门票,加大勒索企图。

虽然Arkana没有说明数据的来源,但使用Snowflake引用和与先前泄露文件匹配的文件名表明该组织试图转售旧的被盗数据。

目前尚不清楚Arkana之前是否购买了这些数据,该组织是否由之前拥有这些数据的威胁者组成,或者他们是否与ShinyHunters合作出售这些数据。6月9日,有关Ticketmaster数据的条目已从Arkana Security数据泄露网站上删除。

近年来,“ShinyHunters”这个名字与大量数据泄露事件有关,其中包括PowerSchool大规模数据泄露事件,美国、加拿大和其他国家6505个学区的6240万名学生和950万名教师的数据被盗。

最近,Mandiant将ShinyHunters与最近针对Salesforce账户的活动联系起来,威胁者侵入账户窃取客户数据并勒索公司。

在过去的三年中,许多与ShinyHunters有关的威胁者被逮捕,目前尚不清楚这是原始团队还是其他声称是他们以混淆视听的威胁者。目前Arkana和Ticketmaster均未有所回复。

胡金鱼

媒体竞争如何驱动虚假信息传播

Solidot
8 months ago
信息爆炸的时代,虚假信息如病毒般在社交媒体和传统媒体中迅速蔓延。从古罗马时期的政治诽谤到现代社交媒体上的假新闻,虚假信息始终是影响公众认知和社会稳定的重要因素。特别值得注意的是,与传统认知不同,研究表明社交媒体并非虚假信息的主要来源,主流媒体和公众人物在虚假信息传播中扮演着更为关键的角色。这种状况引发了一个核心问题:为什么在明知会损害长期信誉的情况下,新闻源仍会传播虚假信息?研究人员发现,媒体间的竞争会形成类似"囚徒困境"的局面:虽然传播虚假信息会损害长期信誉,但短期内能获得更多关注和影响力。这种竞争关系促使媒体陷入"军备竞赛",最终导致虚假信息泛滥。

Managed ad