Aggregator

A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-10348. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The initial researcher advisory only shows the field "Last Name" to be affected. Other fields might be affected as well.

A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as critical. Affected by this issue is the function delete_tenant of the file /ajax.php?action=delete_tenant. The manipulation of the argument id leads to sql injection. This vulnerability is handled as CVE-2024-10349. The attack may be launched remotely. Furthermore, there is an exploit available.

Submit #427471 / VDB-281697

Submit #427472 / VDB-281696

挪威计划严格执行社交网络最低年龄 15 岁的政策，以保护青少年免受社交网络有害内容和算法的影响。目前使用社交网络的最低年龄是 13 岁。但现实中年龄低于 13 岁的儿童已经在大量使用社交媒体，根据 Norwegian Media Authority 的研究，超过半数的 9 岁儿童、58% 的 10 岁儿童和 72% 的 11 岁儿童已在使用社交媒体。政府承诺采取更多保护措施防止儿童绕过年龄限制，包括修改《Personal Data Act》，要求社交媒体用户必须年满 15 岁才能同意平台处理其个人数据，它正在为社交媒体开发年龄验证屏障。挪威首相周三表示，此举发出了一个强有力的信号，必须保护儿童免受社交媒体有害内容的侵害。这是大型科技巨头与幼儿大脑的较量。这将是一场艰苦的战斗，这也是需要政治的地方。

A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed 'Qilin.B,' has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. [...]

Unauthenticated threat actors can remotely cause a denial-of-service (DoS) cyberattack within the Remote Access VPN software in Cisco's ASA and Firepower software.

Как 0day-уязвимость в Chrome стала ключом к чужим богатствам.

A vulnerability classified as critical was found in vendure up to 2.3.2/3.0.4. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2024-48914. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

微软旗下的职业社交网络 LinkedIn 被爱尔兰数据保护机构 Data Protection Commission(DPC)罚款 3.1 亿欧元。LinkedIn 的欧洲总部位于爱尔兰的都柏林，爱尔兰 DPC 是其业务在欧洲的主要监管机构。这是爱尔兰根据欧洲数据保护法 GDPR 开出的金额第五大的罚单。对 LinkedIn 的投诉始于 2018 年，LinkedIn 处理用户数据用于定向广告以及用于跟踪行为的方式被认为不符合 GDPR。微软去年已经为这笔罚款提前预留了 4.25 亿美元，最后的罚款金额略低于这一数字。

Welcome to Day Three of our first ever Pwn2Own Ireland competition! We’ve already awarded $874,875

Cloudkicker是一款功能强大的自托管 Azure OSINT 工具，该工具可以帮助广大研究人员轻松执行针对Azure的安全检测与OSINT任务。

Penn State will pay $1.25m for failing federal cybersecurity standards in DoD and NASA contracts

Authors/Presenters:Jen Ozmen, Aaron Shim

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Securing Frontends at Scale;Paving our Way to Post XSS World appeared first on Security Boulevard.