Aggregator

A vulnerability, which was classified as problematic, has been found in net-textproto up to 1.21.7/1.22.0 on Go. Affected by this issue is the function Request.ParseMultipartForm/Request.FormValue/Request.PostFormValue/Request.FormFile. The manipulation leads to resource consumption. This vulnerability is handled as CVE-2023-45290. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in GNU Emacs up to 29.2. It has been rated as critical. Affected by this issue is some unknown functionality of the component Inline MIME Handler. The manipulation leads to Remote Code Execution. This vulnerability is handled as CVE-2024-30203. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mybatis Plus up to 3.5.5. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to sql injection. The identification of this vulnerability is CVE-2024-35548. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Fluid Topics Platform up to 4.2. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to server-side request forgery. The identification of this vulnerability is CVE-2023-31456. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apache Tomcat up to 9.0.89/10.1.24/11.0.0-M20. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component TLS Handshake Handler. The manipulation leads to resource consumption. This vulnerability is known as CVE-2024-38286. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Zoho ManageEngine ADAudit Plus up to 8121. Affected by this vulnerability is an unknown functionality of the component Technician Reports Option. The manipulation leads to sql injection. This vulnerability is known as CVE-2024-36485. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in martinvonz jj up to 0.22.x. Affected is an unknown function of the component Git Repository Handler. The manipulation leads to path traversal. This vulnerability is traded as CVE-2024-51990. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WP Booking Calendar Plugin up to 10.6.2 on WordPress. It has been classified as problematic. This affects an unknown part of the component Setting Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-10027. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in HCL BigFix Compliance 2.0.11. It has been declared as problematic. This vulnerability affects unknown code of the component Web Page Cache Handler. The manipulation leads to open redirect. This vulnerability was named CVE-2024-30140. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in HCL BigFix Compliance 2.0.11. It has been rated as problematic. This issue affects some unknown processing of the component Session Cookie Handler. The manipulation leads to sensitive cookie without secure attribute. The identification of this vulnerability is CVE-2024-30142. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic has been found in HCL BigFix Compliance 2.0.11. Affected is an unknown function. The manipulation leads to information exposure through error message. This vulnerability is traded as CVE-2024-30141. It is possible to launch the attack remotely. There is no exploit available.

An ICO audit of AI recruitment tools found numerous data privacy issues that may lead to jobseekers being discriminated against and privacy compromised

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 that could allow remote, unauthenticated attackers to access sensitive information. This vulnerability, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), is due to improper storage of sensitive information within the web […]

The post Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability, which was classified as problematic, has been found in Apple Mac OS X up to 10.11.4. This issue affects some unknown processing of the component Tcl. The manipulation leads to information disclosure (User). The identification of this vulnerability is CVE-2016-1853. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

小鹏不再只是一家车企，更是一家AI公司。

Работу над проектом ведет Минцифры.

Really interesting research: “An LLM-Assisted Easy-to-Trigger Backdoor Attack on Code Completion Models: Injecting Disguised Vulnerabilities against Strong Detection“:

Abstract: Large Language Models (LLMs) have transformed code com-
pletion tasks, providing context-based suggestions to boost developer productivity in software engineering. As users often fine-tune these models for specific applications, poisoning and backdoor attacks can covertly alter the model outputs. To address this critical security challenge, we introduce CODEBREAKER, a pioneering LLM-assisted backdoor attack framework on code completion models. Unlike recent attacks that embed malicious payloads in detectable or irrelevant sections of the code (e.g., comments), CODEBREAKER leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without affecting functionalities), ensuring that both the poisoned data for fine-tuning and generated code can evade strong vulnerability detection. CODEBREAKER stands out with its comprehensive coverage of vulnerabilities, making it the first to provide such an extensive set for evaluation. Our extensive experimental evaluations and user studies underline the strong attack performance of CODEBREAKER across various settings, validating its superiority over existing approaches. By integrating malicious payloads directly into the source code with minimal transformation, CODEBREAKER challenges current security measures, underscoring the critical need for more robust defenses for code completion...

The post Subverting LLM Coders appeared first on Security Boulevard.

胡金鱼