Aggregator

CVE-2025-55164 | helmetjs content-security-policy-parser up to 0.5.x prototype pollution (ID 11)

1 week ago

A vulnerability classified as critical has been found in helmetjs content-security-policy-parser up to 0.5.x. Impacted is an unknown function. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is uniquely identified as CVE-2025-55164. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

vuldb.com

CVE-2025-8909 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 absolute path traversal

Vuldb Updates

1 week ago

A vulnerability identified as problematic has been detected in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. This impacts an unknown function. This manipulation causes absolute path traversal. This vulnerability is tracked as CVE-2025-8909. The attack is possible to be carried out remotely. No exploit exists.

vuldb.com

CVE-2025-8910 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 cross site scripting

Vuldb Updates

1 week ago

A vulnerability classified as problematic has been found in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is documented as CVE-2025-8910. The attack can be initiated remotely. There is not any exploit available.

vuldb.com

CVE-2025-8911 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 cross site scripting

Vuldb Updates

1 week ago

A vulnerability classified as problematic was found in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. This vulnerability affects unknown code. The manipulation results in cross site scripting. This vulnerability is reported as CVE-2025-8911. The attack can be launched remotely. No exploit exists.

vuldb.com

CVE-2025-54118 | NamelessMC Nameless up to 2.2.3 list information disclosure (GHSA-cj37-8jqc-hv2w)

Vuldb Updates

1 week ago

A vulnerability labeled as problematic has been found in NamelessMC Nameless up to 2.2.3. This issue affects some unknown processing. Such manipulation of the argument list leads to information disclosure. This vulnerability is documented as CVE-2025-54118. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.

vuldb.com

CVE-2025-54117 | NamelessMC Nameless up to 2.2.3 cross site scripting (GHSA-gp3j-j84w-vqxx)

Vuldb Updates

1 week ago

A vulnerability classified as problematic was found in NamelessMC Nameless up to 2.2.3. This affects an unknown function. The manipulation results in basic cross site scripting. This vulnerability is known as CVE-2025-54117. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

vuldb.com

CVE-2025-54421 | NamelessMC Nameless up to 2.2.3 default_keywords cross site scripting (GHSA-f5rm-w4mx-q7rx)

Vuldb Updates

1 week ago

A vulnerability, which was classified as problematic, has been found in NamelessMC Nameless up to 2.2.3. This impacts an unknown function. This manipulation of the argument default_keywords causes cross site scripting. This vulnerability is handled as CVE-2025-54421. The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.

vuldb.com

CVE-2025-51510 | MoonShine 3.12.5 Blog Data sql injection (EUVD-2025-25179)

Vuldb Updates

1 week ago

A vulnerability identified as critical has been detected in MoonShine 3.12.5. Impacted is an unknown function of the component Blog Module. The manipulation of the argument Data leads to sql injection. This vulnerability is uniquely identified as CVE-2025-51510. The attack is possible to be carried out remotely. No exploit exists.

vuldb.com

CVE-2025-38614 | Linux Kernel up to 6.16.0 eventpoll ep_loop_check_proc recursion

Vuldb Updates

1 week ago

A vulnerability labeled as critical has been found in Linux Kernel up to 6.16.0. This issue affects the function ep_loop_check_proc of the component eventpoll. The manipulation results in uncontrolled recursion. This vulnerability is known as CVE-2025-38614. Access to the local network is required for this attack. No exploit is available. The affected component should be upgraded.

vuldb.com

CVE-2025-54145 | Mozilla Firefox up to 140 on iOS QR Scanner redirect (EUVD-2025-25228)

Vuldb Updates

1 week ago

A vulnerability classified as critical was found in Mozilla Firefox up to 140 on iOS. This impacts an unknown function of the component QR Scanner. The manipulation results in open redirect. This vulnerability is known as CVE-2025-54145. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

vuldb.com

CVE-2025-54144 | Mozilla Firefox up to 140 on iOS URL Scheme redirect (EUVD-2025-25229)

Vuldb Updates

1 week ago

A vulnerability classified as critical has been found in Mozilla Firefox up to 140 on iOS. This affects an unknown function of the component URL Scheme Handler. The manipulation leads to open redirect. This vulnerability is traded as CVE-2025-54144. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

vuldb.com

CVE-2025-49707 | Microsoft DCadsv5-series Azure VM access control (EUVD-2025-24276)

Vuldb Updates

1 week ago

A vulnerability classified as problematic has been found in Microsoft DCadsv5-series Azure VM, DCasv5-series Azure VM, DCedsv5-series Azure VM, DCesv5-series - Azure VM, DCesv6-series Azure VM, ECadsv5-series Azure VM, ECasv5-series Azure VM, ECedsv5-series Azure VM, ECesv5-series Azure VM, Ecesv6-series Azure VM and NCCadsH100v5-series Azure VM. This affects an unknown function. This manipulation causes improper access controls. This vulnerability is handled as CVE-2025-49707. It is possible to launch the attack on the local host. There is not any exploit available. It is recommended to apply a patch to fix this issue.

vuldb.com

CVE-2025-8912 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 absolute path traversal (EUVD-2025-24550)

Vuldb Updates

1 week ago

A vulnerability marked as problematic has been reported in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. Affected by this vulnerability is an unknown functionality. Performing manipulation results in absolute path traversal. This vulnerability is cataloged as CVE-2025-8912. It is possible to initiate the attack remotely. There is no exploit available.

vuldb.com

CVE-2025-8914 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 sql injection (EUVD-2025-24548)

Vuldb Updates

1 week ago

A vulnerability described as critical has been identified in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. Affected by this issue is some unknown functionality. Executing manipulation can lead to sql injection. This vulnerability is registered as CVE-2025-8914. It is possible to launch the attack remotely. No exploit is available.

vuldb.com

CVE-2025-8913 | WellChoose Organization Portal System up to IFTOP_P3_2_1_196 filename control (EUVD-2025-24549)

Vuldb Updates

1 week ago

A vulnerability, which was classified as critical, has been found in WellChoose Organization Portal System up to IFTOP_P3_2_1_196. This issue affects some unknown processing. This manipulation causes improper control of filename for include/require statement in php program ('php remote file inclusion'). This vulnerability appears as CVE-2025-8913. The attack may be initiated remotely. There is no available exploit.

vuldb.com

Skibidi dop dop yes yes yes — теперь и в Cambridge Dictionary

Securitylab.ru

1 week ago

Классическая лингвистика уже не выдерживает напора интернета.

CISOs need to think about risks before rushing into AI

Help Net Security

1 week ago

Organizations are increasing investments in cloud, AI, and emerging technologies, but their infrastructure and security strategies often lag behind. A recent Unisys survey of 1,000 senior executives shows that business and IT leaders are not always aligned on what needs to be in place before the next wave of technology arrives. Proactive cybersecurity is growing in popularity (Source: Unisys) From a security perspective, the findings raise concerns about how quickly organizations are moving ahead without … More →

The post CISOs need to think about risks before rushing into AI appeared first on Help Net Security.

Anamarija Pogorelec

A Big Step on the CMMC Rollout Timeline

TrustedSec

1 week ago

<p>A major step on the CMMC rollout timeline was completed recently as the regulatory change that will create the CMMC contract clause made its way to the Office of Information and Regulatory Affairs (OIRA). This post…</p>

Chris Camejo

面对域名过期漏洞，PyPI阻断了账户劫持与攻击风险

不安全

1 week ago

PyPI新增安全措施防止域名复活攻击劫持账户，检查域名状态标记过期邮箱，并建议用户添加备用邮箱和开启双因素认证。

面对域名过期漏洞，PyPI阻断了账户劫持与攻击风险

嘶吼

1 week ago

最新消息，Python 包索引 (PyPI) 目前已引入了新的保护措施，以防止通过密码重置劫持账户的域名复活攻击。

PyPI 是 Python 开源包的官方仓库，为软件开发人员、产品维护者以及使用 Python 库、工具和框架的企业所广泛使用。

项目维护者在PyPI上发布软件的账户与电子邮件地址相关联。对于部分项目而言，其关联的电子邮箱地址还与特定域名绑定。若该域名过期，攻击者便可注册此域名，随后通过搭建邮件服务器并发起账户密码重置请求，进而掌控 PyPI 上的对应项目。

此类攻击的风险在于可能引发供应链攻击：遭劫持的项目会推送恶意版本的热门 Python 包，而在多数情况下，这些恶意包会通过 pip 自动安装。2022 年 5 月“ctx”包遭入侵便是典型案例——攻击者在该包中植入代码，专门针对亚马逊 AWS 密钥及账户凭证。

为解决这一问题，PyPI 如今会对平台上已验证电子邮箱地址所对应的域名进行检查，若发现域名已过期或即将进入过期阶段，便会将相关邮箱地址标记为未验证状态。

从技术层面来看，PyPI 借助 Domainr 的 Status API 确定域名的生命周期阶段（活跃、宽限期、赎回期、待删除），以此判断是否需要对相应账户采取措施。

域生命周期

一旦电子邮箱地址对应的域名进入上述状态，该邮箱便无法用于密码重置或其他账户恢复操作，即便攻击者注册了该域名，也难以找到可乘之机。

实际上，这些新措施的开发工作于 4 月启动，当时已通过初步扫描对相关情况进行评估。最终，新措施于 2025 年 6 月正式推出，且平台会每日进行扫描。自实施以来，在新系统下已有超过 1800 个电子邮箱地址被标记为未验证。

尽管新措施并非无懈可击，也无法应对所有攻击场景，但它显著降低了攻击者通过利用过期域名劫持 PyPI 账户的风险。PyPI 建议用户在账户中添加一个来自非自定义域名的备用邮箱，以避免服务中断；同时，应开启 PyPI 账户的双因素认证，从而增强账户抵御劫持的保护能力。

胡金鱼

Aggregator

Managed ad