Home
This post is part of a series about machine learning and artificial intelligence. Adversaries often leverage supply chain attacks to gain footholds. In machine learning model deserialization issues...
Infosec is, at its heart, all about that data. Obtaining access to it (or disrupting access to it) is in every ransomware gang and APT groups top-10 to-do-list items, and so it makes sense that our research voyage would, at some point, cross paths with products intended to
Recently Google published a blog about detecting browser data theft using Windows Event Logs. There are some good points in the post for defenders on how to detect misuse of DPAPI calls attempting ...
Posted by Dave Kleidermacher, VP Engineering, Android Security and Privacy Our commitment to user safety is a top priority for Android. ...
The root cause of this issue appears to be insufficient access controls implemented in the attachment upload functionality for pentest scoping forms. The endpoint responsible for handling attachment uploads did not properly validate the user's access rights to the specific scoping form, allowing any authenticated user to upload files as long as they had the scoping form ID.
According to the...
Discovered by KPC of Cisco Talos. SUMMARY An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2023.008.20470.A specially crafted font file embedded into a P...
### Impact
An authenticated user can issue a message server API request that exploits an access control issue, allowing them to bypass tenant isolation controls and exfiltrate job processing metad...
Discovered by KPC of Cisco Talos. SUMMARY An out-of-bounds read vulnerability exists in the Font functionality of Adobe Acrobat Reader 2023.008.20533.A specially crafted font file embedded into a P...
TL;DR In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors.
Rethinking configuration immutability Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require a server restart:
Insofar as CORS relaxes some of the restrictions enforced by the SOP, it is a security-critical mechanism.
Summary Security vulnerabilities in DIR-X4860 allow remote unauthenticated attackers that can access the HNAP port to gain elevated privileges and run commands as root. By combining an authentication bypass with command execution the device can be completely compromised. Credit A security researcher working with SSD Secure Disclosure Vendor Response The vendor has been reached out … Read More »
Google and Apple have worked together to create an industry specification Detecting Unwanted Location Trackers for Bluetooth trackin...
In this guest blog from Pwn2Own winner Cody Gallagher, he details CVE-2024-21115 an Out-of-Bounds (OOB) Write that occurs in Oracle VirtualBox that can be leveraged for privilege escalation. This bug was recently patched by Oracle in April. Cody has graciously provided this detailed write-up
## Context
The [https://www.shipt.com](https://www.shipt.com) website allows users to place orders and **modify** them after they were placed.
To modify an order after it was placed, it must be in a state **before** the shopping is in progress. This allows customers to adjust an order before its final shipment
## Vulnerability
It is possible to **add arbitrary products** to another's user's...
## Summary:
Octal Type Handling of Errors in IPv4 Mapped IPv6 Addresses in curl allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on curl.
[RFC 4291](https://datatracker.ietf.org/doc/html/rfc4291#section-2-5-5) defines ways to embed an IPv4 address into IPv6 addresses. One of the methods defined in the RFC is to use...
Introduction Last year, Microsoft released a blogpost about the introduction of Active Directory Certificate Services (ADCS) based detections in Microsoft Defender for Identity (MDI).
Lets say you want to research the secure kernel. You heard about hypervisors and VTL1 and youd like to see it for yourself, and static analysis is just not always good enough. You need a debugger...
In this guest blog from Master of Pwn winner Manfred Paul, he details CVE-2024-2887 a type confusion bug that occurs in both Google Chrome and Microsoft Edge (Chromium). He used this bug as a part of his winning exploit that led to code execution in the renderer of both browsers. This bug was quic
Sriram Karra and Christiaan Brand, Google product managers Last year, Google launched passkey support for Google Accounts. Passkeys are a n...
Product Security Audits vs. Bug Bounty
Insecure Direct Object Reference vulnerability was reported to IBM, analyzed and has been remediated. Thank you to our external researcher.
ERROR 404 SORRY, THIS PAGE DOES NOT EXIST. WE WERE OUT HUNTING BAD GUYS AND MUST HAVE MISSED UPDATING THIS LINK SOMEWHERE. OR YOU MISTYPED.
Discovered by Dimitrios Tatsis of Cisco Talos. SUMMARY A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTT...
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY A heap-based buffer overflow vulnerability exists in the comment functionality of stb _vorbis.c v1.22. A specially crafted .ogg file can le...
Discovered by Francesco Benvenuto of Cisco Talos. SUMMARY A firmware update vulnerability exists in the luci2-io file-import functionality of Milesight UR32L v32.3.0.7-r2. A specially crafted netwo...
Posted by Will Harris, Chrome Security Team Chromium's sandboxed process model defends well from malicious web content, but...
There is an ongoing hot topic in the Synacktiv development team between a handful of iOS developers that are willing to work on a full macOS environment and people that'd rather spend an insane amount
Earlier this year, in mid-January, you might have come across this security announcement by GitHub.
In this article, I will unveil the shocking story of how I discovered CVE-2024-0200, a deceptively simple, one-liner vulnerability which I initially assessed to likely be of low impact, and how I turned it into one of the most impactful bugs in GitHubs bug bounty history.
Spoiler: The vulnerability enabled disclosure of all environment variables of a production container on GitHub.
Discovered by KPC of Cisco Talos. SUMMARY A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicio...
Discovered by KPC of Cisco Talos. SUMMARY A type confusion vulnerability vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Lock object. A specially crafted Javascript code insid...
Discovered by KPC of Cisco Talos. SUMMARY A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a ComboBox widget. A specially crafted JavaScript code inside a malici...
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the...
Posted by Steve Kafka and Khawaja Shams (Android Security and Privacy Team), and Mohet Saxena (Play Trust and Safety) A safe and trusted ...
Learn how to use CodeQL for security research and improve your security research workflow.
A critical vulnerability was discovered in the HackerOne platform that allowed an attacker to gain unauthorized access to attachments belonging to other users through the report summary editing functionality. By manipulating attachment IDs in the request, an attacker could view sensitive files that should have been restricted. The core issue was an Insecure Direct Object Reference (IDOR)...
Lambert Rosique and Jan Keller, Security Workflow Automation, and Diana Kramer, Alexandra Bowen and Andrew Cho, Privacy and Security Inciden...
Praetorian identifies a local privilege escalation vulnerability arising from the application exposing an unauthenticated Java Management Extensions (JMX) remote management interface on localhost that was accessible by unprivileged local operating system users.
## Summary
A malicious PPPoE server can cause denial-of-service or potentially remote code execution in kernel context on the PS4/PS5.
## Heap buffer overwrite and overread in sppp_lcp_RCR and sppp_ipcp_RCR
For some reason, the PS4/PS5 is vulnerable to [CVE-2006-4304](https://www.freebsd.org/security/advisories/FreeBSD-SA-06:18.ppp.asc). By having invalid options, it is possible to cause a...
Posted by Yoshi Yamaguchi, Santiago Daz, Maud Nalpas, Eiji Kitamura, DevRel team The Reporting API is an emerging web standard that pr...
The reporter who is an NDA'd contributor with access to internal Mozilla slack instance found a Jira admin API token hard-coded in a script which was shared in a public slack channel. The API key was revoked and the script was deleted from the public channel.
CVE-2024-24549 Apache Tomcat - Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98
Description:
When processing an HTTP/2 request, if the request exceeded any of the
configured limits for headers, the associated...
An issue was reported whereby GitHub secrets were leaked via GitHub Actions. We worked with the reporter to resolve this issue, and it appears widespread.
Posted Kaleigh Rosenblat, Chrome Enterprise Senior Staff Software Engineer, Security Lead Generative AI has emerged as a powerful and pop...
Information about 0-days exploited in-the-wild!
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Microsoft Windows. This bug was originally discovered by the Microsoft Offensive Re
We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations.
Its the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If youd rather watch the full video recap covering the entire release, you can check
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header...