RSS 생중계

CVE-2021-40674

Latest 7 days CVE Lists - 17시간 42분 지남
An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.

Amazon Says It's Permanently Banned 600 Chinese Brands for Review Fraud

Slashdot - 월, 2021/09/20 - 11:42오후
An anonymous reader shares a report: Remember when gadget vendors Aukey, Mpow, RavPower, Vava, TaoTronics and Choetech started mysteriously disappearing from Amazon's online storefront, and it turned out Amazon had intentionally yanked them while vaguely gesturing to the sanctity of its user reviews? Turns out they were just the tip of the iceberg. Amazon has now permanently banned over 600 Chinese brands across 3,000 different seller accounts, the company confirms to The Verge. Amazon says that's the grand tally after five months of its global crackdown, and it's no longer being shy about why: a spokesperson tells us these 600 brands were banned for knowingly, repeatedly and significantly violating Amazon's policies, especially the ones around review abuse. The South China Morning Post reported the numbers earlier, citing an interview with an Amazon Asia VP on state-owned television.

Read more of this story at Slashdot.

카테고리:

CVE-2019-16651

Latest 7 days CVE Lists - 월, 2021/09/20 - 11:15오후
An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG2492) devices. Because their SNMP commands have insufficient protection mechanisms, it is possible to use JavaScript and DNS rebinding to leak the WAN IP address of a user (if they are using certain VPN implementations, this would decloak them).

CVE-2020-21913

Latest 7 days CVE Lists - 월, 2021/09/20 - 11:15오후
International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.

Amazon is Investigating Whether Its Lawyers Bribed Government Officials in India

Slashdot - 월, 2021/09/20 - 11:02오후
Amazon has launched an investigation into the conduct of its legal representatives in India following a complaint from a whistleblower who alleged that one or more of the company's reps had bribed government officials, Indian news and analysis outlet the Morning Context reported on Monday. From a report: The company is investigating whether legal fees financed by it was used for bribing government officials, the report said, which cited unnamed sources and didn't identify the government officials. Amazon has placed Rahul Sundaram, a senior corporate counsel, on leave, the report added. In a statement to TechCrunch, an Amazon spokesperson said the company has "zero tolerance" for corruption, but didn't comment on the investigation.

Read more of this story at Slashdot.

카테고리:

Kernel prepatch 5.15-rc2

lwn.net - 월, 2021/09/20 - 10:17오후
The 5.15-rc2 kernel prepatch is out for testing.

So I've spent a fair amount of this week trying to sort out all the odd warnings, and I want to particularly thank Guenter Roeck for his work on tracking where the build failures due to -Werror come from.

Is it done? No. But on the whole I'm feeling fairly good about this all, even if it has meant that I've been looking at some really odd and grotty code. Who knew I'd still worry about some odd EISA driver on alpha, after all these years? A slight change of pace ;)

카테고리:

Stanford's Proposal Over AI's 'Foundations' Creates Controversy

Slashdot - 월, 2021/09/20 - 8:34오후
ellithligraw writes: Last month a Stanford research paper coauthored by dozens of Stanford researchers which terms some artificial intelligence models "foundations" is causing a debate over the future of AI. A new research facility is proposed at Stanford to study these so-called "models." Critics call these "foundations" will "mess up the discourse." The debate centers on what Wired calls "colossal neural networks and oceans of data." Some object to the limited capabilities and sometimes freakish behavior of these models; others warn of focusing too heavily on one way of making machines smarter. "I think the term 'foundation' is horribly wrong," Jitendra Malik, a professor at UC Berkeley who studies AI, told workshop attendees in a video discussion. Malik acknowledged that one type of model identified by the Stanford researchers — large language models that can answer questions or generate text from a prompt — has great practical use. But he said evolutionary biology suggests that language builds on other aspects of intelligence like interaction with the physical world. "These models are really castles in the air; they have no foundation whatsoever," Malik said. "The language we have in these models is not grounded, there is this fakeness, there is no real understanding...." Subbarao Kambhampati, a professor at Arizona State University [says] there is no clear path from these models to more general forms of AI... Emily M. Bender, a professor in the linguistics department at the University of Washington, says she worries that the idea of foundation models reflects a bias toward investing in the data-centric approach to AI favored by industry... "There are all of these other adjacent, really important fields that are just starved for funding," she says. "Before we throw money into the cloud, I would like to see money going into other disciplines."

Read more of this story at Slashdot.

카테고리:

CVE-2021-24613

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed

CVE-2021-24618

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

CVE-2021-24635

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

CVE-2021-24636

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link

CVE-2021-24637

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

CVE-2021-24638

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.

CVE-2021-24639

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.

CVE-2021-24640

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

CVE-2021-24657

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue.

CVE-2021-24663

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE

CVE-2021-24741

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

CVE-2021-24400

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

CVE-2021-24401

Latest 7 days CVE Lists - 월, 2021/09/20 - 7:15오후
The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

페이지

KLDP 수집기 구독하기