Aggregator

微软就删除 VSCode 扩展一事向开发者致歉

HackerNews
8 months 4 weeks ago
HackerNews 编译,转载请注明出处: 微软就删除VSCode扩展一事向开发者致歉   2025年3月13日,微软在Visual Studio Marketplace中重新上架了“Material Theme – Free”和“Material Theme Icons – Free”两款VSCode扩展。此前,这两款扩展因被怀疑包含恶意代码而被下架,其开发者Mattia Astorino(别名“equinusocio”)也被平台封禁。 这两款扩展的安装量超过900万次,于2月因安全风险被下架。当时,微软表示,社区成员对扩展进行了深度安全分析,发现多处可疑迹象并报告给微软。微软安全研究人员确认了这一说法,并发现了更多可疑代码。 研究人员Amit Assaraf和Itay Kruk在使用AI扫描工具检查VSCode提交内容时,首次将这两款扩展标记为潜在恶意软件。他们认为,Material Theme的“release-notes.js”文件中存在代码执行能力且代码经过高度混淆,这引发了安全担忧。 然而,开发者Astorino对此表示反对,称问题出自在扩展中使用的一个自2016年以来就未更新的sanity.io依赖项,该依赖项用于显示发布说明。他指出,如果微软在下架前与他沟通,他可以在几秒钟内解决这一问题,而不是直接封禁他的账号。 Astorino表示,Material Theme扩展的混淆过程中无意中包含了sanity.io SDK客户端,其中包含了一些引用用户名或密码的字符串,但这些并非恶意代码,只是多年前构建过程中的一个错误。 3月12日,微软的Scott Hanselman在GitHub上向Astorino道歉,并恢复了他的开发者账号。他承认,微软在处理此事时过于仓促,导致了错误的结论。Hanselman还表示,Visual Studio Code Marketplace将更新其对混淆代码的政策,并改进扫描工具,以避免未来再次匆忙处理类似项目。 尽管如此,Amit Assaraf在接受采访时仍坚持认为,该扩展确实包含恶意代码,但他也承认开发者并无恶意意图。   消息来源:Bleeping Computer; 本文由 HackerNews.cc 翻译整理,封面来源于网络;   转载请注明“转自 HackerNews.cc”并附上原文
hackernews

Meta 警告 FreeType 漏洞的被攻击风险

HackerNews
8 months 4 weeks ago
HackerNews 编译,转载请注明出处: Meta警告称,FreeType开源字体渲染库存在安全漏洞(CVE-2025-27363),可能已被用于实际攻击。该漏洞被评定为高危,CVSS评分为8.1,属于越界写入漏洞,可能被利用来实现远程代码执行。 漏洞存在于FreeType 2.13.0及以下版本中。当解析与TrueType GX和可变字体文件相关的字体子字形结构时,漏洞代码会将一个有符号短整型值分配给无符号长整型,并添加一个静态值,导致缓冲区分配过小。随后,代码会在分配的缓冲区边界外写入多达6个有符号长整型值。 FreeType开发者Werner Lemberg表示,该漏洞已在两年前修复,2.13.0以上版本不再受影响。然而,许多Linux发行版仍在使用过时版本的FreeType库,存在被利用的风险。这些发行版包括: AlmaLinux Alpine Linux Amazon Linux 2 Debian稳定版 RHEL/CentOS Stream 8和9 GNU Guix Mageia OpenMandriva openSUSE Leap Slackware Ubuntu 22.04 鉴于该漏洞已被实际利用的风险,用户被建议尽快更新至FreeType的最新版本(2.13.3),以获得最佳保护。   消息来源:The Hacker News;  本文由 HackerNews.cc 翻译整理,封面来源于网络;   转载请注明“转自 HackerNews.cc”并附上原文
hackernews

CVE-2024-43303 | videousermanuals White Label CMS Plugin up to 2.7.4 on WordPress cross site scripting

Vuldb Updates
8 months 4 weeks ago
A vulnerability was found in videousermanuals White Label CMS Plugin up to 2.7.4 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-43303. The attack can be launched remotely. There is no exploit available.
vuldb.com

CVE-2024-6843 | Chatbot with ChatGPT Plugin up to 2.4.4 on WordPress cross site scripting

Vuldb Updates
8 months 4 weeks ago
A vulnerability, which was classified as problematic, has been found in Chatbot with ChatGPT Plugin up to 2.4.4 on WordPress. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-6843. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-43291 | voidCoders Void Contact Form 7 Widget for Elementor Page Builder Plugin cross site scripting

Vuldb Updates
8 months 4 weeks ago
A vulnerability classified as problematic has been found in voidCoders Void Contact Form 7 Widget for Elementor Page Builder Plugin up to 2.4.1 on WordPress. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-43291. It is possible to initiate the attack remotely. There is no exploit available.
vuldb.com

CVE-2024-25582 | Open-Xchange OX App Suite up to 7.10.6-rev42 Module Savepoint cross site scripting

Vuldb Updates
8 months 4 weeks ago
A vulnerability has been found in Open-Xchange OX App Suite up to 7.10.6-rev42 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Module Savepoint Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-25582. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

Managed ad