Aggregator

Зонд Perseverance нашёл крайне интересные минералы. Неужели никто не заберёт их домой?

Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads

As bad actors often simply waltz through companies’ digital front doors with a key, here’s how to keep your own door locked tight

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to investigate Microsoft for what he terms “gross cybersecurity negligence,” accusing the tech giant of knowingly shipping its Windows operating system with a dangerously outdated form of encryption that has enabled devastating ransomware attacks on U.S. critical infrastructure, including major healthcare systems. In […]

The post Senator Calls for FTC Investigation into Microsoft’s Use of Outdated RC4 Encryption and Kerberoasting Vulnerabilities appeared first on Cyber Security News.

作者：维一零 原文链接：https://weiyiling.cn/one/multi_npmjs_hijack_review 0x00 前言 这2天NPM仓库又遭受严重的供应链攻击，看起来性质和LedgerHQ库的事件差不多，目的也是盗窃加密货币。虽然这次并没有成功盗取到币，但是影响范围巨大，目前至少已发现了24款核心库被黑，包括chalk和debug等知名的JS库，这些库每周有着超过20亿...

ChillyHell всё ещё процветает и продолжает портить жизнь пользователям по всему миру.

Government-run train operator LNER has revealed details of a supplier data breach

网信办在一份简短声明中宣布以女性为主的社交应用小红书被要求限期整改。“针对小红书平台未落实信息内容管理主体责任，在热搜榜单重点环节频繁呈现多条炒作明星个人动态和琐事类词条等不良信息内容，破坏网络生态问题，国家网信办指导上海市网信办，依据《网络信息内容生态治理规定》等有关规定，对小红书平台采取约谈、责令限期改正、警告、从严处理责任人等处置处罚措施。”

A vulnerability was found in Catalog Importer, Scraper & Crawler Plugin up to 5.1.4 on WordPress. It has been classified as critical. Impacted is the function eval. Performing manipulation results in code injection. This vulnerability is cataloged as CVE-2025-8417. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability identified as critical has been detected in Ultimate Classified Listings Plugin up to 1.6 on WordPress. This impacts the function save_custom_fields of the component Setting Handler. This manipulation of the argument custom causes missing authorization. This vulnerability appears as CVE-2025-0763. The attack may be initiated remotely. There is no available exploit.

A vulnerability labeled as critical has been found in My WP Translate Plugin up to 1.1 on WordPress. Affected is the function mtswpt_remove_plugin. Such manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-8423. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in Mitfahrgelegenheit Plugin up to 1.1.5 on WordPress. This vulnerability affects unknown code. The manipulation of the argument Date results in cross site scripting. This vulnerability was named CVE-2025-8392. The attack may be performed from remote. There is no available exploit.

A vulnerability, which was classified as critical, has been found in My WP Translate Plugin up to 1.1 on WordPress. This issue affects the function ajax_import_strings. This manipulation causes missing authorization. The identification of this vulnerability is CVE-2025-8425. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Certifica WP Plugin up to 3.1 on WordPress and classified as problematic. The impacted element is an unknown function. Executing manipulation of the argument evento can lead to cross site scripting. This vulnerability is tracked as CVE-2025-8316. The attack can be launched remotely. No exploit exists.

A vulnerability was found in Propovoice Plugin up to 1.7.6.7 on WordPress. It has been rated as problematic. Affected is the function send_email. This manipulation causes information disclosure. This vulnerability is registered as CVE-2025-8422. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability classified as problematic has been found in Blog Designer for Elementor Plugin up to 1.1.7 on WordPress. Impacted is the function bdfe_install_activate_rswpbs_only. This manipulation causes cross-site request forgery. This vulnerability is handled as CVE-2025-8481. The attack can be initiated remotely. There is not any exploit available.

A vulnerability classified as problematic was found in Countdown Timer for Elementor Plugin up to 1.3.9 on WordPress. The affected element is an unknown function. Such manipulation of the argument countdown_label leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-8445. The attack can be launched remotely. No exploit exists.

A vulnerability has been found in Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses Plugin up to 10.20 on WordPress and classified as critical. This impacts an unknown function. The manipulation leads to missing authorization. This vulnerability is referenced as CVE-2025-8492. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in WP Easy FAQs Plugin up to 1.0.5 on WordPress. It has been classified as problematic. Affected by this vulnerability is the function WP_EASY_FAQ of the component Shortcode Handler. This manipulation causes cross site scripting. This vulnerability is tracked as CVE-2025-8686. The attack is possible to be carried out remotely. No exploit exists.