Tag
Apple and Google espouse strong values about data privacy, but they allow programs from a Big Brother state to thrive on their app stores, researchers allege.
In a 6-3 decision, the Supreme Court held that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned it burdens adults and ignores First Amendment precedent.
An invitation to sign a DocuSign document went through mysterious ways and a way-too-easy Captcha to fingerprint the target.
### Summary A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Note: In torch versions <2.6, the default setting is `weights_only=False`, and Llama Factory's `setup.py` only requires `torch>=2.0.0`. ### Affected Version Llama Factory versions <=0.9.3 are affected by this vulnerability. ### Details 1. In LLaMA Factory's WebUI, when a user sets the `Checkpoint path`, it modifies the `adapter_name_or_path` parameter passed to the training process. code in src/llamafactory/webui/runner.py <img w...
## Summary ## The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. ## Impact ## The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the *uid* of the server process. ## Vulnerability Description ## Many Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the `find` command and nothing else, this restriction can be circumvented by using the `-exec` flag. Some common commands having the ability to launch external commands and which are included in the offici...
Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.
Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.
"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.
Wordfence exposes a sophisticated WordPress malware campaign using a rogue WordPress Core plugin. Active since 2023, it steals credit cards and credentials with advanced anti-detection.
Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.