Aggregator

grep Claims to be Selling Access to an Unidentified Software Company in America

A vulnerability has been found in ESAFENET DSM 3.1.2 and classified as critical. Affected by this vulnerability is the function examExportPDF of the file /admin/plan/examExportPDF. The manipulation of the argument s leads to command injection. This vulnerability is known as CVE-2025-1845. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in ESAFENET CDG 5.6.3.154.205_20250114. Affected is an unknown function of the file /CDGServer3/logManagement/backupLogDetail.jsp. The manipulation of the argument logTaskId leads to sql injection. This vulnerability is traded as CVE-2025-1844. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in Mini-Tmall up to 20250211. This issue affects the function select of the file com/xq/tmall/dao/ProductMapper.java. The manipulation of the argument orderBy leads to sql injection. The identification of this vulnerability is CVE-2025-1843. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #505009 / VDB-298111

Submit #505008 / VDB-298110

Shawn C 写道: ARM TrustZone 的设计初衷是将内存划分为两个世界：非安全世界（运行丰富执行环境，如 Linux/Android）和安全世界（运行受信任的执行环境，即 TEE OS）。它已在汽车、移动设备和硬件钱包等行业广泛部署。关键点如下：
* Linux 内核运行在非安全 EL1（NS.EL1）。
* TEE OS 运行在安全 EL1（S.EL1）。
* 安全监控器（例如 ARM Trusted Firmware，ATF）运行在安全 EL3（S.EL3）。
* Linux 内核通过发出 SMC（安全监控调用）指令给安全监控器，后者再将请求路由至 TEE OS。
* 默认情况下，ARM 核心架构没有为 MMU 提供安全扩展。这意味着，如果 SoC 供应商没有集成专用的 TZASC（TrustZone 地址空间控制器）IP，则两个世界之间的内存隔离将无法有效实现。
* 任何需要安全处理的外设必须由安全世界管理。因此，SoC 必须集成额外的 IP 用于 TZPC（TrustZone 防护控制器）。这一方法与 x86_64 生态系统中使用的 MMU、IOMMU、EPC、SGX 或 TDX 有显著不同。
* ARM 参考模型允许安全世界和非安全世界使用相同的物理地址（例如，非安全物理地址 np:0x1000 与安全物理地址 sp:0x1000）对应内存系统中不同的位置。然而，大多数 SoC 供应商倾向于避免这种复杂性（即 np:0x1000 和 sp:0x1000 指的是相同位置）。
* 与 x86 相比，ARM 的 TEE 更类似于系统管理模式（SMM）。

A vulnerability classified as problematic was found in FITSTATS Technologies AthleteMonitoring up to 20250302. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument username leads to cross site scripting. This vulnerability was named CVE-2025-1842. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #504958 / VDB-298109

A vulnerability classified as critical has been found in ESAFENET CDG 5.6.3.154.205. This affects an unknown part of the file /CDGServer3/logManagement/ClientSortLog.jsp. The manipulation of the argument startDate/endDate leads to sql injection. This vulnerability is uniquely identified as CVE-2025-1841. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in ESAFENET CDG 5.6.3.154.205. It has been rated as critical. Affected by this issue is some unknown functionality of the file /CDGServer3/workflowE/useractivate/updateorg.jsp. The manipulation of the argument flowId leads to sql injection. This vulnerability is handled as CVE-2025-1840. The attack may be launched remotely. Furthermore, there is an exploit available.

Submit #504603 / VDB-298108

Submit #504385 / VDB-298107

Submit #504384 / VDB-298106

A vulnerability, which was classified as critical, was found in Apple tvOS. This affects an unknown part of the component Web Handler. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2024-44244. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Apple watchOS and classified as critical. This vulnerability affects unknown code of the component Web Handler. The manipulation leads to memory corruption. This vulnerability was named CVE-2024-44244. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple iOS and iPadOS and classified as critical. This issue affects some unknown processing of the component Web Handler. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2024-44244. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial intelligence models. [...]

2025年3月，让我们更多地投入世界怀抱

2025年3月，让我们更多地投入世界怀抱