Aggregator

iPadOS 26引入Liquid Glass设计语言、多窗口系统、菜单栏及后台操作等功能，提升多任务处理能力与生产力。

A vulnerability classified as problematic was found in Pictures Pro Photo Cart 3.9. Affected by this issue is some unknown functionality of the file index.php. Executing manipulation of the argument qtitle can lead to cross site scripting. This vulnerability is tracked as CVE-2008-3786. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in Appstate phpWebSite up to 0.9.3-4 and classified as critical. This vulnerability affects unknown code of the file links.php. The manipulation of the argument cid results in sql injection. This vulnerability is cataloged as CVE-2008-6266. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in phpWebSite 1.4.0. It has been declared as problematic. The affected element is an unknown function of the file index.php of the component Search Module. Executing manipulation of the argument Search can lead to cross site scripting. The identification of this vulnerability is CVE-2008-0092. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in phpstats 0.1 Alpha and classified as problematic. This affects an unknown function of the file phpstats.php. Such manipulation of the argument baseDir leads to cross site scripting. This vulnerability is traded as CVE-2008-0125. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic was found in phpSQLiteCMS 1. This issue affects some unknown processing. The manipulation results in cross site scripting. This vulnerability is known as CVE-2008-6435. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in GForge 4.5.14. It has been classified as problematic. This impacts the function write_array_file of the component Configuration File. The manipulation leads to link following. This vulnerability is referenced as CVE-2008-0167. The attack can only be performed from a local environment. Furthermore, an exploit is available. Upgrading the affected component is recommended.

当前环境出现异常，需完成验证后才能继续访问。

本周，互联网网络安全态势整体评价为良。

A vulnerability was found in Samsung Smart Phone and classified as critical. This impacts an unknown function of the component ActivityManagerService. Such manipulation leads to active debug code. This vulnerability is referenced as CVE-2023-21496. The attack can be executed directly on the physical device. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability was found in Samsung Smart Phone. It has been declared as critical. This vulnerability affects unknown code of the component mPOS TUI Trustlet. The manipulation results in format string. This vulnerability is identified as CVE-2023-21497. The attack is only possible with local access. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability marked as critical has been reported in Samsung Smart Phone. This affects an unknown part of the file mm_Authentication.c of the component Shannon Baseband. This manipulation causes memory corruption. This vulnerability appears as CVE-2023-21494. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Samsung Smart Phone. This impacts an unknown function of the component Knox Enrollment Service. This manipulation causes improper access controls. This vulnerability is handled as CVE-2023-21495. It is possible to launch the attack on the local host. There is not any exploit available. It is advisable to upgrade the affected component.

文章讨论了某个主题或问题，并提供了相关背景、分析和结论。

HackerNews 编译，转载请注明出处： 近期，名为 “Scattered Lapsus$ Hunters” 的网络犯罪团伙在 Telegram上宣称，已获取谷歌 执法请求系统（LERS ）及美国联邦调查局（FBI）电子背景调查系统的访问权限。 LERS是一个安全的在线门户，供经过验证的政府机构提交和跟踪针对用户数据的合法请求。该系统一方面帮助执法机构向谷歌申请所需信息，另一方面确保整个流程符合法定程序要求。 谷歌证实，威胁行为者通过创建虚假账号，成功获取LERS平台的访问权限，目前已将该账号停用。 谷歌指出，攻击者未通过该欺诈账号发起任何请求，同时强调 “未发生数据泄露”。然而，未经授权访问谷歌 LERS 仍存在多重风险：可能导致用户数据暴露、干扰正常执法调查、为欺诈性数据请求提供可乘之机，且会损害公众对该系统的信任。 而若 FBI 电子背景调查系统（eCheck）遭遇入侵，风险则包括个人记录与犯罪记录被盗、身份诈骗、背景调查结果被篡改，甚至对国家安全构成威胁。鉴于这两个系统的高度敏感性，必须建立强有力的安全防护措施，以保障用户隐私、数据完整性及机构公信力。 据悉，该威胁团伙最初通过社会工程学手段，诱骗企业员工将 Salesforce 数据加载器（Salesforce Data Loader）关联至公司账号，进而实施数据窃取与勒索。随后，他们入侵了 Salesloft 公司的 GitHub 代码仓库，使用 Trufflehog（一款敏感信息扫描工具）扫描代码，发现了 Drift（一款客户互动平台）的认证令牌，并利用该令牌进一步发起针对 Salesforce 的大规模数据窃取攻击。 此次 Salesforce 数据窃取攻击影响了多家大型企业客户，包括安联人寿、谷歌、Zscaler、Cloudflare、澳洲航空及帕洛阿尔托网络公司。 9 月 11 日，该团伙在 BreachForums [.] hn（一个数据泄露相关论坛）上发布 “告别” 信息，宣布将 “隐匿”。 团伙在留言中写道：“虚荣不过是转瞬即逝的胜利，操纵舆论也终究只是徒劳的自负。正因如此，我们决定，从今往后，沉默将成为我们的力量。”“未来，你或许会在其他数十家尚未披露数据泄露事件的十亿美元级企业，以及部分政府机构（包括安全级别极高的机构）的新数据泄露报告中看到我们的名字，但这并不意味着我们仍在活跃。司法程序将持续让警方、法官与记者忙碌不已。”   消息来源：securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

文章介绍了苹果最新推出的AirPods Pro 3耳机新增的心率传感器功能及其使用方法。该功能通过读取皮下血管情况实现心率监测，需确保耳机以45度角朝向面部并紧密贴合皮肤。此外，耳机采用了更柔软的泡沫硅胶耳塞，并提供多种尺寸选择以优化佩戴舒适度和监测准确性。

A vulnerability described as critical has been identified in Tourism Management System 2.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to unrestricted upload. This vulnerability is referenced as CVE-2025-57642. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in ELEXtensions ELEX WooCommerce Google Shopping Plugin up to 1.4.3 on WordPress. It has been rated as critical. Affected is an unknown function. Performing manipulation of the argument file_to_delete results in sql injection. This vulnerability is cataloged as CVE-2025-10046. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in dotCMS Cloud Services. This vulnerability affects unknown code of the file /api/v1/contenttype. The manipulation of the argument sites leads to sql injection. This vulnerability is traded as CVE-2025-8311. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is advisable to upgrade the affected component.