Aggregator

今年，站在浪潮的人，会在 IF 2026 相遇。

HackerNews 编译，转载请注明出处： 西班牙旗舰航空公司伊比利亚航空（Iberia）就一起与第三方供应商相关的数据泄露事件向客户发出警告。有威胁行为者宣称已窃取该航空公司 77GB 数据。 伊比利亚航空成立于 1927 年，总部位于马德里，是西班牙国家航空公司。该公司以马德里巴拉哈斯机场为枢纽，运营着庞大的国际航线网络，飞往欧洲、美洲、非洲、中东及亚洲的 140 多个城市。作为国际航空集团（IAG）的成员企业，其旗下还包括英国航空、伏林航空、LEVEL 航空及爱尔兰航空等品牌，业务涵盖客运、货运、飞机维修及机场地勤服务。 伊比利亚航空已正式披露此次安全事件，并确认部分客户信息遭泄露，包括姓名、电子邮箱及伊比利亚俱乐部（Iberia Club）会员 ID。 该公司向受影响客户发送的数据泄露通知中写道：“尊敬的客户，很遗憾地告知您，西班牙伊比利亚航空已检测到一起安全事件 —— 我们的一家供应商系统遭到未授权访问，导致部分数据的保密性受损。” “尽管伊比利亚航空已部署相关安全措施，但我们发现有证据表明客户的部分个人数据遭到未授权访问，其中可能包含您的信息。目前调查显示，泄露的数据可能包括姓名、电子邮箱地址及会员卡识别号（伊比利亚俱乐部）。” 官方明确表示，威胁行为者并未获取伊比利亚航空的客户账户权限、密码信息，且客户财务数据未受此次泄露事件影响。 消息来源：securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in DPDK. It has been declared as critical. This affects the function vhost_user_set_inflight_fd of the component vhost Library. The manipulation results in out-of-bounds write. This vulnerability is identified as CVE-2021-3839. The attack can only be performed from the local network. There is not any exploit available. A patch should be applied to remediate this issue.

A vulnerability marked as problematic has been reported in dpdk. This issue affects some unknown processing of the component Message Handler. Performing manipulation results in resource consumption. This vulnerability is cataloged as CVE-2022-0669. The attack must originate from the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Red Hat OpenStack Platform. It has been classified as problematic. Impacted is an unknown function of the component etcd Package. Performing manipulation results in resource consumption. This vulnerability is cataloged as CVE-2024-4436. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability identified as critical has been detected in Linux Kernel up to 5.9/5.10/5.10.102/5.15.25/5.16.11. This impacts the function resolve_prepare_src of the component RDMA. This manipulation causes use after free. This vulnerability is registered as CVE-2022-48925. The attack requires access to the local network. No exploit is available. You should upgrade the affected component.

A vulnerability was found in Red Hat OpenStack Platform. It has been rated as problematic. The impacted element is an unknown function of the component etcd Package. The manipulation leads to resource consumption. This vulnerability is documented as CVE-2024-4438. The attack can be initiated remotely. There is not any exploit available.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.9.4. This affects the function debugfs_remove_recursive of the component mgb4. The manipulation leads to denial of service. This vulnerability is documented as CVE-2024-39465. The attack requires being on the local network. There is not any exploit available. It is suggested to upgrade the affected component.

Китайские ученые предупреждают, что в будущих войнах за контроль над орбитой придется платить тысячами дронов и тоннами радиошума.

HackerNews 编译，转载请注明出处： SolarWinds 修复了其 Serv-U 文件传输解决方案中的三个关键漏洞，这些漏洞可能允许远程代码执行。 第一个漏洞，追踪编号为 CVE-2025-40549（CVSS 评分 9.1），是一个影响 Serv-U 的路径限制绕过问题。拥有管理员权限的攻击者可利用此漏洞在目录上执行代码。公告中写道：”Serv-U 中存在一个路径限制绕过漏洞，若被滥用，可能使拥有管理员权限的恶意行为者具备在目录上执行代码的能力。””滥用此问题需要管理员权限。在 Windows 系统上，由于路径和主目录处理方式的差异，该漏洞评级为中等。” 该公司修复的第二个漏洞，追踪编号为 CVE-2025-40548（CVSS 评分 9.1），是一个访问控制缺陷，可导致远程代码执行漏洞。公告中写道：”Serv-U 中存在一个缺失的验证过程，若被滥用，可能使拥有管理员权限的恶意行为者具备执行代码的能力。””滥用此问题需要管理员权限。在 Windows 部署环境中，由于服务默认通常在权限较低的服务账户下运行，该风险被评为中等。SolarWinds 指出，CVE-2025-40547 和 CVE-2025-40548 在 Windows 系统上仅具有中等严重性，因为受影响的服务通常在低权限账户下运行。 第三个漏洞，CVE-2025-40547（CVSS 评分 9.1），是 Serv-U 中的一个逻辑错误漏洞。拥有管理员权限的攻击者可利用此漏洞执行任意代码。这些漏洞影响 SolarWinds Serv-U 15.5.2.2.102 版本，该公司已发布 15.5.3 版本来解决这些问题。 消息来源：securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Eigenfocus up to 1.4.0. It has been rated as problematic. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-13584. The attack is possible to be carried out remotely. Moreover, an exploit is present. Upgrading the affected component is advised.

A vulnerability classified as critical was found in Ads Pro Plugin up to 4.95 on WordPress. Affected is an unknown function. The manipulation of the argument site_id results in sql injection. This vulnerability is cataloged as CVE-2025-7402. The attack may be launched remotely. There is no exploit available.

cnspec is an open source tool that helps when you are trying to keep a sprawling setup of clouds, containers, APIs and endpoints under control. It checks security and compliance across all of it, which makes it easier to see what needs attention. At its core, cnspec looks for vulnerabilities and misconfigurations across public and private cloud environments, Kubernetes clusters, containers, container registries, servers, endpoints, SaaS products, infrastructure as code and APIs. It uses a … More →

The post cnspec: Open-source, cloud-native security and policy project appeared first on Help Net Security.

马斯克（Elon Musk）旗下的社交媒体 X/Twitter 开始展示账号注册的地理位置，如果该账号使用了 VPN 隐藏 IP 它还会提示可能使用了 VPN。该功能在上线之后一度下线，之后又恢复上线。地理位置信息显示很多政治网红的账号其实都是在美国之外运营的。MAGA NATION 有逾 39.2 万粉丝，其运营地点位于东欧；Dark Maga 有逾 1.5 万粉丝，其运营地点位于泰国；MAGA Scope 有逾 5.1 万粉丝，其运营地点位于尼日利亚；America First 有逾 6.7 万粉丝，其运营地点位于孟加拉国。反 MAGA 账号 Ron Smith 有逾 5.2 万名粉丝，其运营地点位于肯尼亚；Republicans Against Trump 有逾 97 万粉丝，其运营地点位于奥地利，目前使用美国 IP 的 VPN 隐藏原 IP。

A vulnerability has been found in Otsuka Information FMS up to 20251014.10r45111 and classified as problematic. This affects an unknown part. Performing manipulation results in cross site scripting. This vulnerability is reported as CVE-2025-13589. The attack is possible to be carried out remotely. No exploit exists.

Сервисный гигант открыл хакерам доступ к досье миллионов.

Most people assume their medical data sits in quiet storage, protected by familiar rules. That belief gives a sense of safety, but new research argues that the world around healthcare data has changed faster than the policies meant to guide it. As a result, the system is stuck, and the cost of that stagnation is rising for patients, researchers, and innovators. The paper, written by experts from major U.S. medical institutions, examines how healthcare’s privacy-centric … More →

The post The privacy tension driving the medical data shift nobody wants to talk about appeared first on Help Net Security.

快速浏览！2025.11.17—11.23安全动态回顾。

两轮攻击均利用了编号为CVE-2023-48022的旧版高危漏洞。

A practical walkthrough of how hidden JSON fields can expose privilege flaws in modern signup APIsPr