Aggregator

CVE-2025-6769 | GitLab Community Edition/Enterprise Edition up to 18.1.5/18.2.5/18.3.1 exposure of sensitive system information to an unauthorized control sphere (Patch 551957 / EUVD-2025-29021)

Vuldb Updates
9 months 2 weeks ago
A vulnerability classified as problematic was found in GitLab Community Edition and Enterprise Edition up to 18.1.5/18.2.5/18.3.1. The affected element is an unknown function. The manipulation results in exposure of sensitive system information to an unauthorized control sphere. This vulnerability is identified as CVE-2025-6769. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.
vuldb.com

CVE-2025-10094 | GitLab Community Edition/Enterprise Edition up to 18.1.5/18.2.5/18.3.1 Token improper validation of specified quantity in input (Patch 528469 / EUVD-2025-29016)

Vuldb Updates
9 months 2 weeks ago
A vulnerability labeled as critical has been found in GitLab Community Edition and Enterprise Edition up to 18.1.5/18.2.5/18.3.1. Affected is an unknown function of the component Token Handler. The manipulation results in improper validation of specified quantity in input. This vulnerability was named CVE-2025-10094. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.
vuldb.com

CVE-2025-1250 | GitLab Community Edition/Enterprise Edition up to 18.1.5/18.2.5/18.3.1 allocation of resources (Patch 519335 / EUVD-2025-29018)

Vuldb Updates
9 months 2 weeks ago
A vulnerability marked as problematic has been reported in GitLab Community Edition and Enterprise Edition up to 18.1.5/18.2.5/18.3.1. This vulnerability affects unknown code. Performing manipulation results in allocation of resources. This vulnerability was named CVE-2025-1250. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.
vuldb.com

国家计算机病毒应急处理中心检测发现69款违法违规收集使用个人信息的移动应用

嘶吼
9 months 2 weeks ago

依据《网络安全法》《个人信息保护法》等法律法规,按照《中央网信办、工业和信息化部、公安部、市场监管总局关于开展2025年个人信息保护系列专项行动的公告》要求,经国家计算机病毒应急处理中心检测,69款移动应用存在违法违规收集使用个人信息情况,现通报如下。

1、在App首次运行时未通过弹窗等明显方式提示用户阅读隐私政策等收集使用规则;隐私政策难以访问;个人信息处理者在处理个人信息前,未以显著方式、清晰易懂的语言真实、准确、完整地向个人告知个人信息处理者的名称或者姓名、联系方式、个人信息的保存期限等。涉及24款移动应用如下

《95128打车》(微信小程序)、《iBangKF》(版本0.0.0.25,官网)、《i人事》(版本5.38.6,360手机助手)、《八佰伴智慧购》(微信小程序)、《大方租车》(百度小程序)、《短线王》(版本6.2.0,vivo应用商店)、《哈啰租车》(微信小程序)、《海草集IM》(版本1.5.5,搜狗下载)、《绘影字幕》(版本4.8.2,搜狗下载)、《明薪看星座》(百度小程序)、《木丁出行》(微信小程序)、《泡泡钢琴》(版本8.0.0,小米应用商店)、《齐家》(百度小程序)、《神州租车》(微信小程序)、《速回收》(百度小程序)、《速译扫描通》(版本V5.0.2,抖音应用中心)、《天下行租车》(微信小程序)、《为你诵读》(版本6.1.42,小米应用商店)、《西影视频》(版本3.3.1,百度手机助手)、《下厨房》(百度小程序)、《小熊录屏》(版本2.4.8.3,百度手机助手)、《星座屋》(百度小程序)、《阳光出行丨快车出行专车打车软件》(微信小程序)、《云滴出行》(微信小程序)。

2、隐私政策未逐一列出App(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等。涉及31款移动应用如下

《233乐园内购SDK》(版本V3.2.13,官网)、《233网校》(版本v4.8.2,应用汇)、《iBangKF》(版本0.0.0.25,官网)、《MERIT超燃脂》(版本V5.5.1.0,应用宝)、《大商天狗》(版本3.0.8,豌豆荚)、《大同证券》(版本V9.00.46,小米应用商店)、《袋鼠点点短视频》(版本1.3.8,小米应用商店)、《海草集IM》(版本1.5.5,搜狗下载)、《海文考研》(版本5.2.6.0,豌豆荚)、《好好记账》(版本1.17.4,小米应用商店)、《华数TV》(版本7.2.3.1,应用宝)、《涟漪饮用水》(版本2.0.46,历趣市场)、《南城香+》(微信小程序)、《汽场》(版本3.9.9,应用汇)、《青书学堂》(版本25.8.0,PP助手)、《全知识》(版本4.30.2,PP助手)、《舒华运动》(版本5.6.4,vivo应用商店)、《钛马星》(版本5.4.240904.1_v(69),vivo应用商店)、《天下行租车》(微信小程序)、《图纸通》(版本V8.17.0,360手机助手)、《为你诵读》(版本6.1.42,小米应用商店)、《窝友自驾》(版本9.8.24,vivo应用商店)、《戏鲸》(版本3.35.1,快手下载中心)、《小步在家早教》(版本6.9.55,PP助手)、《信达期货》(版本V3.0.3(30003),应用宝)、《一瓜兼职》(版本V2.8.3,360手机助手)、《弈战平台》(版本3.0.14,当快软件园)、《源动健康》(版本2.74.97,应用宝)、《掌心宝贝》(版本6.23.0,应用宝)、《真香兼职》(版本1.6.8.0,应用宝)、《竹马》(版本7.7.2,OPPO软件商店)。

3、个人信息处理者向其他个人信息处理者提供其处理的个人信息的,未向个人告知接收方的名称或者姓名、联系方式、处理目的、处理方式和个人信息的种类,并取得个人的单独同意;App客户端向第三方提供个人信息,包括通过客户端嵌入的第三方代码、插件等方式向第三方提供个人信息,未经过用户同意,未做匿名化处理。涉及17款移动应用如下

《大同证券》(版本V9.00.46,小米应用商店)、《枫叶租车》(微信小程序)、《海草集IM》(版本1.5.5,搜狗下载)、《海文考研》(版本5.2.6.0,豌豆荚)、《绘影字幕》(版本4.8.2,搜狗下载)、《就是你》(版本1.1.95,快手下载中心)、《泡泡钢琴》(版本8.0.0,小米应用商店)、《汽场》(版本3.9.9,应用汇)、《神州租车》(微信小程序)、《舒华运动》(版本5.6.4,vivo应用商店)、《速译扫描通》(版本V5.0.2,抖音应用中心)、《天下行租车》(微信小程序)、《为你诵读》(版本6.1.42,小米应用商店)、《西影视频》(版本3.3.1,百度手机助手)、《戏鲸》(版本3.35.1,快手下载中心)、《一瓜兼职》(版本V2.8.3,360手机助手)、《弈战平台》(版本3.0.14,当快软件园)。

4、未在征得用户同意后才开始收集个人信息或打开可收集个人信息的权限。涉及3款移动应用如下

《233乐园内购SDK》(版本V3.2.13,官网)、《大方租车》(百度小程序)、《齐家》(百度小程序)。

5、未提供有效的更正、删除个人信息及注销用户账号功能。涉及2款移动应用如下

《绘影字幕》(版本4.8.2,搜狗下载)、《钛马星》(版本5.4.240904.1_v(69),vivo应用商店)。

6、投诉、举报未在承诺时限内受理并处理。涉及1款移动应用如下

《i人事》(版本5.38.6,360手机助手)

7、未向用户提供撤回同意收集个人信息的途径、方式;个人信息处理者未提供便捷的撤回同意的方式。涉及34款移动应用如下

《i人事》(版本5.38.6,360手机助手)、《大方租车》(百度小程序)、《大商天狗》(版本3.0.8,豌豆荚)、《短线王》(版本6.2.0,vivo应用商店)、《哈啰租车》(微信小程序)、《海文考研》(版本5.2.6.0,豌豆荚)、《好好记账》(版本1.17.4,小米应用商店)、《剪辑猫》(版本1.4.7,百度手机助手)、《就是你》(版本1.1.95,快手下载中心)、《涟漪饮用水》(版本2.0.46,历趣市场)、《马记永》(微信小程序)、《泡泡钢琴》(版本8.0.0,小米应用商店)、《青书学堂》(版本25.8.0,PP助手)、《全知识》(版本4.30.2,PP助手)、《闪送》(版本6.7.42,OPPO软件商店)、《神州租车》(微信小程序)、《升学指导网》(版本4.7.9,历趣市场)、《速译扫描通》(版本V5.0.2,抖音应用中心)、《钛马星》(版本5.4.240904.1_v(69),vivo应用商店)、《图纸通》(版本V8.17.0,360手机助手)、《为你诵读》(版本6.1.42,小米应用商店)、《窝友自驾》(版本9.8.24,vivo应用商店)、《西影视频》(版本3.3.1,百度手机助手)、《小步在家早教》(版本6.9.55,PP助手)、《小拉出行》(微信小程序)、《小熊录屏》(版本2.4.8.3,百度手机助手)、《阳光出行丨快车出行专车打车软件》(微信小程序)、《一瓜兼职》(版本V2.8.3,360手机助手)、《弈战平台》(版本3.0.14,当快软件园)、《愉客行》(版本5.0.4,vivo应用商店)、《源动健康》(版本2.74.97,应用宝)、《云滴出行》(微信小程序)、《真香兼职》(版本1.6.8.0,应用宝)、《竹马》(版本7.7.2,OPPO软件商店)。

8、通过自动化决策方式向个人进行信息推送、商业营销,未同时提供不针对其个人特征的选项,或者未向个人提供便捷的拒绝方式。涉及4款移动应用如下

《233网校》(版本v4.8.2,应用汇)、《哈啰租车》(微信小程序)、《马记永》(微信小程序)、《掌心宝贝》(版本6.23.0,应用宝)。

9、个人信息处理者处理敏感个人信息的,未向个人告知处理敏感个人信息的必要性以及对个人权益的影响。涉及1款移动应用如下

《95128打车》(微信小程序)。

10、个人信息处理者处理不满十四周岁未成年人个人信息的,未制定专门的个人信息处理规则;收集未成年人信息未取得监护人单独同意。涉及9款移动应用如下

《MERIT超燃脂》(版本V5.5.1.0,应用宝)、《季季红点餐》(微信小程序)、《明薪看星座》(百度小程序)、《南城香+》(微信小程序)、《齐家》(百度小程序)、《舒华运动》(版本5.6.4,vivo应用商店)、《速回收》(百度小程序)、《下厨房》(百度小程序)、《星座屋》(百度小程序)。

11、未采取相应的加密、去标识化等安全技术措施。涉及41款移动应用如下

《233乐园内购SDK》(版本V3.2.13,官网)、《95128打车》(微信小程序)、《iBangKF》(版本0.0.0.25,官网)、《八佰伴智慧购》(微信小程序)、《曹操出行|打车快车专车》(微信小程序)、《大方租车》(百度小程序)、《大商天狗》(版本3.0.8,豌豆荚)、《东兴198》(版本6.1.6,OPPO软件商店)、《短线王》(版本6.2.0,vivo应用商店)、《枫叶租车》(微信小程序)、《哈啰租车》(微信小程序)、《海草集IM》(版本1.5.5,搜狗下载)、《海文考研》(版本5.2.6.0,豌豆荚)、《华数TV》(版本7.2.3.1,应用宝)、《绘影字幕》(版本4.8.2,搜狗下载)、《季季红点餐》(微信小程序)、《剪辑猫》(版本1.4.7,百度手机助手)、《就是你》(版本1.1.95,快手下载中心)、《涟漪饮用水》(版本2.0.46,历趣市场)、《马记永》(微信小程序)、《木丁出行》(微信小程序)、《奶油桌面》(版本3.6.6,搜狗下载)、《南城香+》(微信小程序)、《齐家》(百度小程序)、《闪送》(版本6.7.42,OPPO软件商店)、《神州租车》(微信小程序)、《升学指导网》(版本4.7.9,历趣市场)、《速回收》(百度小程序)、《钛马星》(版本5.4.240904.1_v(69),vivo应用商店)、《天下行租车》(微信小程序)、《铁行租车》(微信小程序)、《图纸通》(版本V8.17.0,360手机助手)、《窝友自驾》(版本9.8.24,vivo应用商店)、《悟空租车丨经济商务豪跑车新能源》(微信小程序)、《戏鲸》(版本3.35.1,快手下载中心)、《下厨房》(百度小程序)、《小拉出行》(微信小程序)、《印象笔记》(版本10.8.68,360手机助手)、《愉客行》(版本5.0.4,vivo应用商店)、《云滴出行》(微信小程序)、《竹马》(版本7.7.2,OPPO软件商店)。

12、无隐私政策。涉及3款移动应用如下

《当当》(百度小程序)、《电视猫》(百度小程序)、《漫客栈》(百度小程序)。

上期通报的国家计算机病毒应急处理中心检测发现的70款违法违规移动应用,经复测仍有33款存在问题,相关移动应用分发平台已予以下架。

(注:文中所列移动应用检测时间为2025年7月30日至2025年8月31日)

文章开源自:国家网络安全通报中心

胡金鱼

CVE-2025-10320 | iteachyou Dreamer CMS up to 4.1.3.2 /admin/user/updatePwd weak password (EUVD-2025-29054)

VulDB Recent Entries
9 months 2 weeks ago
A vulnerability identified as critical has been detected in iteachyou Dreamer CMS up to 4.1.3.2. This issue affects some unknown processing of the file /admin/user/updatePwd. Performing manipulation results in weak password requirements. This vulnerability is known as CVE-2025-10320. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

HCL AppScan 360º 2.0 protects software supply chains

Help Net Security
9 months 2 weeks ago

HCLSoftware launched HCL AppScan 360º version 2.0, a next-generation application security platform designed to help organizations regain control over their software supply chains. As open-source adoption accelerates and global data regulations tighten, HCL AppScan 360º delivers a cloud-native solution that enables enterprises to secure their applications, without compromising visibility, compliance, or sovereignty. High-profile incidents like Log4Shell have exposed the fragility of software supply chains and the lack of visibility many organizations have into their own … More →

The post HCL AppScan 360º 2.0 protects software supply chains appeared first on Help Net Security.

Industry News

CVE-2025-21043 | Samsung Devices libimagecodec.quram.so out-of-bounds write (EUVD-2025-29028)

VulDB Recent Entries
9 months 2 weeks ago
A vulnerability categorized as critical has been discovered in Samsung Devices. This vulnerability affects unknown code of the file libimagecodec.quram.so. Such manipulation leads to out-of-bounds write. This vulnerability is traded as CVE-2025-21043. The attack may be launched remotely. There is no exploit available. Applying a patch is advised to resolve this issue.
vuldb.com

CVE-2025-21042 | Samsung Devices libimagecodec.quram.so out-of-bounds write (EUVD-2025-29029)

VulDB Recent Entries
9 months 2 weeks ago
A vulnerability was found in Samsung Devices. It has been rated as critical. This affects an unknown part of the file libimagecodec.quram.so. This manipulation causes out-of-bounds write. This vulnerability appears as CVE-2025-21042. The attack may be initiated remotely. There is no available exploit. It is recommended to apply a patch to fix this issue.
vuldb.com

CVE-2025-10319 | JeecgBoot up to 3.8.2 Tenant Log Export /sys/tenant/exportLog improper authorization (EUVD-2025-29051)

VulDB Recent Entries
9 months 2 weeks ago
A vulnerability was found in JeecgBoot up to 3.8.2. It has been declared as critical. Affected by this issue is some unknown functionality of the file /sys/tenant/exportLog of the component Tenant Log Export. The manipulation results in improper authorization. This vulnerability is reported as CVE-2025-10319. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

CVE-2025-10318 | JeecgBoot up to 3.8.2 WebSocket Message sendWebSocketMsg userIds improper authorization (EUVD-2025-29044)

VulDB Recent Entries
9 months 2 weeks ago
A vulnerability was found in JeecgBoot up to 3.8.2. It has been classified as critical. Affected by this vulnerability is an unknown functionality of the file /api/system/sendWebSocketMsg of the component WebSocket Message Handler. The manipulation of the argument userIds leads to improper authorization. This vulnerability is documented as CVE-2025-10318. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

Apple issues spyware warnings as CERT-FR confirms attacks

Security Affairs
9 months 2 weeks ago
Apple warned users of a spyware campaign; France’s cyber agency confirmed targeted iCloud-linked devices may be compromised. Apple warned customers last week about new spyware attacks, the French national Computer Emergency Response Team (CERT-FR) said. The agency confirmed at least four such alerts since early 2025. Apple sent spyware alerts on March 5, April 29, […]
Pierluigi Paganini

Cloud-Native Security in 2025: Why Runtime Visibility Must Take Center Stage

The Hackers News
9 months 2 weeks ago
The security landscape for cloud-native applications is undergoing a profound transformation. Containers, Kubernetes, and serverless technologies are now the default for modern enterprises, accelerating delivery but also expanding the attack surface in ways traditional security models can’t keep up with. As adoption grows, so does complexity. Security teams are asked to monitor sprawling hybrid
The Hacker News

全球消费的鳗鱼 99% 属于濒危物种

Solidot
9 months 2 weeks ago
日本中央大学与台湾大学研究团队发现全球消费的鳗鱼 99% 以上属于三种濒危物种。这些被广泛食用的鳗鱼是美洲鳗、日本鳗和欧洲鳗,它们被世界自然保护联盟评估为濒临灭绝。鳗鱼在全球范围内存在大量不透明交易,难以掌握实际流通量,此次研究为了解真实情况提供了线索。研究团队对 2023-2025 年在亚洲、欧美及大洋洲 11 个国家和地区 26 个城市购买的 282 件加工品和生鲜品进行基因检测,确定了种类。其中美洲鳗 154 件,日本鳗 120 件,欧洲鳗 4 件,印度尼西亚短鳍鳗 1 件,另有 3 件未能进行分析。根据该结果,结合各国的生产量、贸易统计数据和市场规模推测全球流通比例,美洲鳗占 75.3%,日本鳗占 18.0%,欧洲鳗占 6.7%。从国别流通量来看,中国约占 60%,日本约占 19%,东亚地区可能占了大半。

Sublime Security enhances threat protection with AI agent

Help Net Security
9 months 2 weeks ago

Sublime Security released the Autonomous Detection Engineer (ADÉ), an end-to-end AI agent that turns attack telemetry into transparent and auditable protection that security teams can trust. Email attacks are advancing as adversaries weaponize generative AI to create highly targeted and rapidly shifting campaigns. Unlike traditional solutions which rely on vendor-initiated coverage updates, ADÉ analyzes new attack patterns to write, test, and validate new tailored coverage. It analyzes historical data at scale, iterates on detection strategies, … More →

The post Sublime Security enhances threat protection with AI agent appeared first on Help Net Security.

Industry News

Managed ad