Aggregator

A vulnerability, which was classified as problematic, was found in Veribo & Roland Murg WP Simple Booking Calendar Plugin up to 2.0.8.4 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2023-51525. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Klarna Payments for WooCommerce Plugin up to 3.2.4 on WordPress. Affected is an unknown function. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2024-30477. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in Averta Shortcodes and Extra Features for Phlox Theme up to 2.15.5 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authorization. This vulnerability is known as CVE-2024-31099. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Brice Capobianco Simple Revisions Delete Plugin up to 1.5.3 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2024-30482. The attack may be launched remotely. There is no exploit available.

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to

MITRE’s Attack Flow project aims to translate complex cyber operations into a structured language. By describing how adversaries sequence and combine offensive techniques to reach their objectives, Attack Flow offers defenders, analysts, and decision-makers a tool to see the bigger picture. Threat intelligence Cyber threat intel (CTI) teams can use Attack Flow to show how attackers behave, not just what tools they use. It tracks activity across incidents, campaigns, or threat groups. Because it’s machine-readable, … More →

The post Attack Flow: Learn how cyber adversaries combine and sequence offensive techniques appeared first on Help Net Security.

Axing Security Clearance Will Undermine Talent Pipeline, Chill Vendor Collaboration
Trump’s executive order revoking security clearances from SentinelOne over its hiring of former CISA head Chris Krebs is fueling fear in the cybersecurity sector. Experts warn the decision could hinder cybersecurity talent recruitment and public-private partnerships essential to national defense.

Threat Actors Deploy Obfuscation Tactics to Targets Windows Machines
Likely Chinese nation-state hackers are targeting European companies using previously unseen malware backdoor variants with advanced network tunneling and evasion capabilities for data theft. Brussels-based security firm Nviso links the campaign to a threat actor tracked as UNC5221.

Ransomware Gang Qilin Claims to Have 42GB of Practice's Stolen Data
Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers.

Malware Hides in Memory, Evades Detection by Endpoint Tools
A Chinese state-backed hacking group tracked as UNC5174 relaunched its operations after a year of silence with a campaign using a memory-only remote access Trojan that evades traditional detection mechanisms, according to new research from cybersecurity firm Sysdig.

Complaint Says Russia-Based IP Address Attempted to Gain Access as DOGE Took Data
A whistleblower has accused staffers from the Department of Government Efficiency of attempting to cover their tracks while collecting troves of sensitive data from the independent labor agency's computer systems, raising significant security concerns.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Michael DePlante (@izobashi) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Paolo `paupu` Cavaglia of Shielder, Abdel Adim `smaury` Oisfi of Shielder and Nicola `fromVeeko` Davico of Shielder' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Старые сессии живут вечно — и с этим срочно нужно что-то делать.

By now, most CISOs agree: passwords are the weakest link in the authentication chain. They’re easy to guess, hard to manage, and constantly reused. Even the most complex password policies don’t stop phishing or credential stuffing. That’s why passwordless authentication is gaining serious ground. Adopting passwordless authentication comes with challenges, including resistance to change, integration with legacy systems, and initial costs. Organizations may also have concerns about security, user experience, accessibility, compliance, and data privacy. … More →

The post The future of authentication: Why passwordless is the way forward appeared first on Help Net Security.

Хакеры выложили данные модераторов и код форума.

知名匿名讨论版 4chan 被黑客入侵，攻击者恢复了已删除的 /QA/ 板块，泄漏了管理员邮箱地址，公开了源代码。黑客利用的是 4chan 所使用的过时代码中的漏洞：4chan 部分板块允许上传 PDF，但没有对 PDF 进行验证确认是 PDF，上传的文件会使用 2012 年版的 Ghostscript 生成缩略图，攻击者通过上传带有 PostScript 命令的 PDF 获得了服务器的 shell access 访问权限。