Aggregator

作者完成一个漏洞赏金课程后，询问下一步是单独练习常见漏洞（如XSS、SQL注入等）还是通过CTF等任务型活动提升技能，并寻求发现真实网站漏洞的方法。

Exploit chaining CVE-2025-31324 & CVE-2025-42999 in SAP NetWeaver enables auth bypass and RCE, risking compromise and data theft. A new exploit chaining two vulnerabilities, tracked as CVE-2025-31324 and CVE-2025-42999, in SAP NetWeaver exposes organizations to the risk of system compromise and data theft. CVE-2025-31324 (CVSS score: 10.0) is a missing authorization check in NetWeaver’s Visual Composer […]

SAP NetWeaver的两个高危漏洞CVE-2025-31324（CVSS 10.0）和CVE-2025-42999（CVSS 9.1）被用于绕过认证并实现远程代码执行，可能导致系统完全接管和数据泄露。

威努特为“国之重器”筑牢安全基座。

複数のマイクロソフト製品には、脆弱性があります。この問題は、Microsoft Updateなどを用いて、更新プログラムを適用することで解決します。詳細は、開発者が提供する情報を参照してください。

Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments.

The uptick in breaches in Asia has prompted a Japanese chipmaker and the Singaporean government to require vendors to pass cybersecurity checks to do business.

A vulnerability, which was classified as problematic, has been found in SolidInvoice up to 2.4.0. Impacted is an unknown function of the file /quotes of the component Quote Module. This manipulation of the argument Name causes cross site scripting. This vulnerability is registered as CVE-2025-9169. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Sitecore CMS 5.3.0/5.3.1/6.0.1/6.0.2. It has been classified as problematic. This vulnerability affects unknown code. Performing manipulation of the argument sc_error results in cross site scripting. This vulnerability is identified as CVE-2009-2163. The attack can be initiated remotely. Additionally, an exploit exists. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Simplog 0.9.3.2. Affected by this issue is some unknown functionality of the file comments.php. Performing manipulation results in improper access controls. This vulnerability is identified as CVE-2009-4091. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability classified as problematic was found in Simplog 0.9.3.2. This affects an unknown part of the file user.php of the component Change Password. Executing manipulation can lead to cross-site request forgery. This vulnerability is tracked as CVE-2009-4092. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability, which was classified as problematic, has been found in Simplog 0.9.3.2. This vulnerability affects unknown code of the file comments.php. The manipulation leads to cross site scripting. This vulnerability is listed as CVE-2009-4093. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability classified as critical has been found in Dminnich Simple PHP News 1.0. The affected element is an unknown function of the file post.php. This manipulation of the argument Date causes code injection. This vulnerability is handled as CVE-2009-0610. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability classified as critical was found in PHPSimplicity Simplicity oF Upload 1.3.2. This affects an unknown part of the file upload.php of the component File Upload. Such manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2009-4818. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in Alexander Palmo Simple PHP Blog up to 0.5.1. It has been declared as problematic. This impacts an unknown function of the file languages_cgi.php. Such manipulation of the argument blog_language1 leads to path traversal. This vulnerability is uniquely identified as CVE-2009-4421. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability marked as critical has been reported in Snowhall Silurus System 1.0. This issue affects some unknown processing of the file wcategory.php. The manipulation of the argument ID leads to sql injection. This vulnerability is listed as CVE-2009-3082. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability categorized as critical has been discovered in Apple Safari. This impacts an unknown function of the component Web Handler. Executing manipulation can lead to memory corruption. The identification of this vulnerability is CVE-2025-24189. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.

本期周报简介：1、百度搜索软件下载结果频现木马链接，作为公共服务入口，其内容安全审查机制是否缺位？企业社会责任边界究竟在哪？ 2、内网终端持续Ping不可达外网地址，已排除常规进程，如何深入排查潜在隐蔽通信或残留恶意行为？

Maximum Validity of Public TLS Certificates Will Drop From 398 Days to Just 47 Days
The future of managing digital certificates is already here - it's just not evenly distributed yet. With the public TLS certificate validity period set to drop to just 47 days, as well as the need to migrate to quantum-safe encryption, experts see automation as key to achieving crypto agility.

Common Weaknesses Healthcare Providers Must Overcome to Avoid Regulators' Wrath
Regulators have long pushed HIPAA-regulated providers to ensure their enterprise-wide security risk analysis is comprehensive and timely, so they can identify security issues before they become data breaches. Why do so many organizations struggle with this top HIPAA priority?