Spring Security 安全漏洞

Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. There are security vulnerabilities in versions of Spring Security 5.7.22 and earlier, 5.8.24 and earlier, 6.3.15 and earlier, 6.5.9 and earlier, and 7.0.4 and earlier...

D-SLAMSpoof: An Environment-Agnostic LiDAR Spoofing Attack Using Dynamic Point Cloud Injection

In this work, we introduce Dynamic SLAMSpoof D-SLAMSpoof, a novel attack that compromises LiDAR SLAM even in feature-rich environments. The attack leverages LiDAR spoofing, which injects spurious measurements into LiDAR scans through external laser interference. By designing both spatial injectio...

Handson-3-WEB2_XSS-Attack-Defense

No d...

Evaluating Vulnerabilities of Connected Vehicles under Cyber Attacks by Attack-Defense Tree

Connected vehicles represent a key enabler of intelligent transportation systems, where vehicles are equipped with advanced communication, sensing, and computing technologies to interact not only with one another but also with surrounding infrastructures and the environment. Through continuous da...

OmniSafeBench-MM: A Unified Benchmark and Toolbox for Multimodal Jailbreak Attack-Defense Evaluation

Recent advances in multi-modal large language models MLLMs have enabled unified perception-reasoning capabilities, yet these systems remain highly vulnerable to jailbreak attacks that bypass safety alignment and induce harmful behaviors. Existing benchmarks such as JailBreakV-28K, MM-SafetyBench,...

A Safety and Security Framework for Real-World Agentic Systems

This paper introduces a dynamic and actionable framework for securing agentic AI systems in enterprise deployment. We contend that safety and security are not merely fixed attributes of individual models but also emergent properties arising from the dynamic interactions among models, orchestrator...

Cybersecurity AI: Evaluating Agentic Cybersecurity in Attack/Defense CTFs

We empirically evaluate whether AI systems are more effective at attacking or defending in cybersecurity. Using CAI Cybersecurity AI's parallel execution framework, we deployed autonomous agents in 23 Attack/Defense CTF battlegrounds. Statistical analysis reveals defensive agents achieve 54.3%...

Early Approaches to Adversarial Fine-Tuning for Prompt Injection Defense: a 2022 Study of GPT-3 and Contemporary Models

This paper documents early research conducted in 2022 on defending against prompt injection attacks in large language models, providing historical context for the evolution of this critical security domain. This research focuses on two adversarial attacks against Large Language Models LLMs: promp...

Measuring the Attack/Defense Balance

"Who's winning on the internet, the attackers or the defenders?" I'm asked this all the time, and I can only ever give a qualitative hand-wavy answer. But Jason Healey and Tarang Jain's latest Lawfare piece has amassed data. The essay provides the first framework for metrics about how we are all...

Thought Purity: Defense Paradigm for Chain-Of-Thought Attack

While reinforcement learning-trained Large Reasoning Models LRMs, e.g., Deepseek-R1 demonstrate advanced reasoning capabilities in the evolving Large Language Models LLMs domain, their susceptibility to security threats remains a critical vulnerability. This weakness is particularly evident in...

CachePrune: Neural-Based Attribution Defense against Indirect Prompt Injection Attacks

Large Language Models LLMs are identified as being susceptible to indirect prompt injection attack, where the model undesirably deviates from user-provided instructions by executing tasks injected in the prompt context. This vulnerability stems from LLMs' inability to distinguish between data and...

Attack-Defense Trees with Offensive and Defensive Attributes (With Appendix)

Effective risk management in cybersecurity requires a thorough understanding of the interplay between attacker capabilities and defense strategies. Attack-Defense Trees ADTs are a commonly used methodology for representing this interplay; however, previous work in this domain has only focused on...

Magecart: How Akamai Protected a Global Retailer Against a Live Attack

...

CVE-2024-3716

A flaw was found in foreman-installer when puppet-candlepin is invoked cpdb with the --password parameter. This issue leaks the password in the process list and allows an attacker to take advantage and obtain the password...

Anatomy of a Security Update

The Microsoft Security Response Center is part of the defender community and on the front line of security response for our customers and the company. Our mission is to protect customers and Microsoft from current and emerging threats related to security and privacy. We monitor threats and provid...

WordPress WP-DownloadManager plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the hosting of personal blog sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress WP-DownloadManager plugin version 1.68.6...

Updating IPS Blade with the Latest Dynamic Protections

IPS dynamic updates are available to customers who have purchased the IPS subscription service. Customers with valid subscription license can choose the attacks to defend against, read detailed information about the attack, configure parameters for each attack defense, including logging options,...

Six Malicious Linux Shell Scripts Used to Evade Defenses and How to Stop Them

Siddartha Sharma and Adhokshaj Mishra Evasive techniques used by attackers, date back to the earlier days, when base64 and other common encoding schemes were used. Today, attackers are adopting new Linux shell script tactics and techniques to disable firewalls, monitoring agents and modifying...

Huawei Data Communication: Deploying an ACL When the STelnet Service Is Enabled

Configure an ACL to defend against attacks. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

MemGuard - Secure Software Enclave For Storage Of Sensitive Information In Memory

Secure software enclave for storage of sensitive information in memory. This package attempts to reduce the likelihood of sensitive data being exposed. It supports all major operating systems and is written in pure Go. Features Sensitive data is encrypted and authenticated in memory using xSalsa2...