風險: 中度風險
類型: 伺服器 - 互聯網應用伺服器
於 Jenkins 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、仿冒、繞過保安限制、洩露敏感資料及跨網站指令碼。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Servers - Internet App Servers
Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, spoofing, security restriction bypass, sensitive information disclosure and cross-site scripting on the targeted system.
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 伺服器 - 數據庫伺服器
於甲骨文產品發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發敏感資料洩露、資料篡改、遠端執行任意程式碼、繞過保安限制、權限提升及阻斷服務狀況。
有關其他 甲骨文 產品,請參閱以下連結:
https://www.oracle.com/security-alerts/cspujun2026.html
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
https://www.oracle.com/security-alerts/cspujun2026.html
RISK: Medium Risk
TYPE: Servers - Database Servers
Multiple vulnerabilities were identified in Oracle Products. A remote attacker could exploit some of these vulnerabilities to trigger sensitive information disclosure, data manipulation, remote code execution, security restriction bypass, elevation of privilege and denial of service condition on the targeted system.
For other Oracle products, please refer to the link below:
https://www.oracle.com/security-alerts/cspujun2026.html
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
https://www.oracle.com/security-alerts/cspujun2026.html
風險: 極高度風險
類型: 用戶端 - 瀏覽器
於 Microsoft Edge 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、阻斷服務狀況、權限提升、繞過保安限制及敏感資料洩露。
注意:
CVE-2026-11645 正在被廣泛利用。遠端攻擊者可以利用此漏洞,透過特製的 HTML 頁面在沙箱環境中執行任意程式碼。因此,此漏洞的風險等級被評為極高度風險。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式:
RISK: Extremely High Risk
TYPE: Clients - Browsers
Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, elevation of privilege, security restriction bypass and sensitive information disclosure on the targeted system.
Note:
CVE-2026-11645 is being exploited in the wild. A remote attacker could exploit this vulnerability to execute arbitrary code inside a sandbox via a crafted HTML page. Hence, the risk level is rated as Extremely High Risk.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
類別: 網絡釣魚
mickmick.net 提醒市民,小心假冒 Booking.com 及酒店預訂通知的釣魚攻擊。有騙徒利用Booking.com早前流出的真實訂房資料,冒充 Booking.com 平台或酒店向旅客發送電郵及WhatsApp訊息,聲稱預訂出現異常、付款授權失敗,或要求用戶於指定時間內更新付款資料,否則將取消預訂,藉此誘使用戶點擊可疑連結及提交個人資料、帳戶憑證或信用卡資料。
根據公開資訊,Booking.com 早前曾出現涉及部分預訂資料被未授權存取的保安事件,受影響資料可能包括住客姓名、電郵地址、電話號碼,以及與住宿提供者之間的通訊內容。海外亦有報道指出,有騙徒利用流出的真實訂房資料,針對日本旅客發送假冒 Booking.com 或酒店的訊息,以進一步進行釣魚詐騙。
由於 Booking.com 為本港市民常用的網上旅遊預訂平台之一,香港用戶亦可能面對相同風險。市民如曾透過相關平台預訂酒店、住宿或其他旅遊服務,應提高警覺,慎防受騙。騙徒可能在訊息中附上可疑連結,將用戶導向偽冒的登入、付款或驗證頁面,要求輸入帳戶密碼、信用卡資料、一次性密碼或其他敏感資料。
騙徒亦可能透過 WhatsApp 或其他即時通訊平台進一步聯絡受害人,要求重新驗證付款資料或完成所謂預訂確認程序。相關訊息常以訂房資料未齊全為由,誘使用戶點擊可疑連結補交資料,其中更會夾附用戶的真實入住日期、住客全名等資料,以提高可信性。
最近 mickmick.net 亦有處理涉及 Booking.com 及 Klook 等網上旅遊預訂平台的釣魚個案。個案顯示,騙徒會針對與旅遊預訂相關的平台,設立釣魚網站誘使用戶提交帳戶資料或付款資訊。
以下為相關個案中的釣魚網站頁面:
圖:假冒 Booking.com 的釣魚網站,聲稱用戶需輸入信用卡資料以進行預訂。
圖:假冒網上旅遊預訂平台的釣魚網站頁面。
圖:假冒網上旅遊預訂平台付款驗證頁面的釣魚網站。
mickmick.net 呼籲市民,不應單憑訊息中載有自己的姓名、酒店名稱、預訂資料或行程內容,便判斷其為真確。任何涉及帳戶、付款或預訂異常的通知,均應透過官方渠道核實,以保障個人及財務安全。
對公眾的安全建議
mickmick.net 提醒市民:
如曾提交資料,應立即採取以下行動
如市民懷疑曾於可疑網站輸入個人資料、帳戶憑證或信用卡資料,應盡快採取以下措施:
Type: Phishing
mickmick.net reminds the public to stay alert to phishing attacks impersonating Booking.com and hotel booking notifications. Fraudsters are using what appears to be genuine booking information previously leaked from Booking.com to impersonate the Booking.com platform or hotels, sending travellers emails and WhatsApp messages claiming that there is an issue with their reservation, that payment authorization has failed, or that they must update their payment details within a specified time or their booking will be cancelled. The aim is to lure users into clicking suspicious links and submitting personal information, account credentials, or credit card details.
According to public information, Booking.com previously experienced a security incident involving unauthorized access to certain booking data. The affected information may have included guests’ names, email addresses, phone numbers, and communications between guests and accommodation providers. Overseas reports have also indicated that fraudsters have used leaked genuine booking data to send fake Booking.com or hotel messages targeting Japanese travellers as part of further phishing scams.
As Booking.com is one of the online travel booking platforms commonly used by Hong Kong residents, local users may also face the same risk. Anyone who has used the platform to book hotels, accommodation, or other travel services should remain vigilant and beware of fraud. Fraudsters may include suspicious links in their messages, directing users to fake login, payment, or verification pages and asking them to enter account passwords, credit card details, one-time passwords, or other sensitive information.
Fraudsters may also contact victims through WhatsApp or other instant messaging platforms, asking them to re-verify payment details or complete a so-called booking confirmation process. Such messages often claim that booking information is incomplete and urge users to click suspicious links to provide the missing details. To make the scam appear more convincing, the messages may include genuine information such as the user’s actual check-in date and full guest name.
Recently, mickmick.net has also handled phishing cases involving online travel booking platforms such as Booking.com and Klook. These cases show that fraudsters target platforms related to travel bookings by setting up phishing websites to trick users into submitting account details or payment information.
The following are phishing website pages from related cases:
Image: A phishing website impersonating Booking.com, claiming that users must enter credit card details to proceed with the booking.
Image: A phishing webpage impersonating an online travel booking platform.
Image: A phishing website impersonating an online travel booking platform’s payment verification page.
mickmick.net urges the public not to assume that a message is genuine simply because it contains their name, hotel name, booking details, or itinerary information. Any notification involving account issues, payment issues, or abnormal booking activity should always be verified through official channels in order to protect personal and financial security.
Security Advice for the Public
mickmick.net reminds the public to:
If You Have Already Submitted Information, Take the Following Actions Immediately
If members of the public suspect that they have entered personal information, account credentials, or credit card details on a suspicious website, they should take the following steps as soon as possible:
風險: 中度風險
類型: 伺服器 - 其他伺服器
於 GitLab 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發跨網站指令碼、阻斷服務狀況、權限提升、洩露敏感資料、繞過保安限制及資料篡改。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Servers - Other Servers
Multiple vulnerabilities were identified in GitLab. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting, denial of service condition, elevation of privilege, sensitive information disclosure, security restriction bypass and data manipulation on the targeted system.
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 用戶端 - 瀏覽器
於 Google Chrome 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、阻斷服務狀況、繞過保安限制及敏感資料洩露。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式:
RISK: Medium Risk
TYPE: Clients - Browsers
Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, security restriction bypass and sensitive information disclosure on the targeted system.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
