Zero Day Initiative
Looking Back at the Zero Day Initiative in 2021
Now that were almost through the first month of 2022, its a good opportunity for us to take a look back at 2021 and the accomplishments of the Zero Day Initiative throughout the year. The past year was certainly a year full of its challenges, but we also celebrated some unique achievements in our
GitHub Security Lab - HackerOne
high - [Java] CWE-089: MyBatis Mapper XML SQL Injection
https://github.com/github/securitylab/issues/406
Exodus Intelligence
LiveAction LiveNX AWS Credential Disclosure Vulnerability
EIP-7d4ec9e3 Several versions of LiveAction LiveNX network monitoring software contain Amazon Web Services (AWS) credentials. These credentials have privileged access to the LiveAction AWS infrastructure. A remote attacker may abuse these credentials to gain access to LiveAction internal resources. Vulnerability Identifiers Exodus Intelligence: EIP-7d4ec9e3 MITRE CVE: N/A Vulnerability Metrics CVSSv2 Score: 10 Vendor References This vulnerability has ... Read more
Google Online Security Blog
Reducing Security Risks in Open Source Software at Scale: Scorecards Launches V4
Posted byLaurent Simon and Azeem Shaikh, Google Open Source Security Team (GOSST) Since our July announcement of Scorecards V2, the Score...
Recorded Future - HackerOne
high - Dom Xss vulnerability
## Summary: Dom Xss vulnerability ## Steps To Reproduce: [add details for how we can reproduce the issue] 1. Go to this link: https://api.recordedfuture.com/index.html 2. Open chrome devtool and go to console tab 3. Type: document.write('...<script>alert(1)</script>...'); 4. And boom! Alert 1! ## Impact XSS can have huge implications for a web application and its users. User...
Synacktiv
Captain Hook - How (not) to look for vulnerabilities in Java applications
During my 6-months intership, I developed a tool to ease vunerability research on Java applications.
Zero Day Initiative
CVE-2021-21661: Exposing Database Info via WordPress SQL Injection
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 ( ZDI-22-220
Project Zero
Zooming in on Zero-click Exploits
Posted by Natalie Silvanovich, Project Zero Zoom is a video conferencing platform that has gained popularity throughout the pandemic. U...
talosintelligence.com
Advantech SQ Manager Server 1.0.6 privilege escalation vulnerability
Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escala...
talosintelligence.com
Advantech DeviceOn/iService 1.1.7 Server installation privilege escalation vulnerability
Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7. A specially-crafted file can be replaced in ...
talosintelligence.com
Advantech DeviceOn/iEdge Server 1.0.2 privilege escalation vulnerability
Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced...
Automattic - HackerOne
high - SSRF & Blind XSS in Gravatar email
Nathan Cavitt (rockybandana) reported a blind XSS issue in the Gravatar service, which was due to incorrect/insufficient sanitization on adding emails to one's profile. The report was of good quality and the issue was fixed within a couple of days of report.
Assetnote
Stealing administrative JWT's through post auth SSRF (CVE-2021-22056)
Application security issues found by Assetnote
Assetnote
Advisory: VMWare Workspace One Access (CVE-2021-22056)
Application security issues found by Assetnote
IBM - HackerOne
high - SQL Injection and plaintext passwords via User Search
An identified SQL Injection vulnerability was reported to IBM found within an IBM asset. It has been analyzed, and resolved. We thank the xyantix for reporting this vulnerability.
Synacktiv
Dissecting NTLM EPA with love & building a MitM proxy
Why you never managed to connect to this fre*king NTLM EPA protected website and how to finally reach it.
Django - HackerOne
high - Deserialization of potentially malicious data to RCE
Hello, Django Team! It's my first time working with you, hope it will be great! Note: I have not seen this issue neither in known vulnerabilities nor in documentation, so here I am. ## Summary Several type of caches in https://github.com/django/django/tree/main/django/core/cache/backends use python `pickle` which may result in RCE (basically privilege escalation) in case attacker will takeover...
Ruby - HackerOne
high - Bug Report : [ No Valid SPF Records ]
Hi Team, Hope you are doing well. I found vulnerability in your web app URL : https://www.ruby-lang.org/en/s Description : There is an email spoofing vulnerability. Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because...
Adobe - HackerOne
critical - AEM forms XXE Vulnerability
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. CVE: CVE-2021-40722 Ref: https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html We thank @ismailmuh for reporting this to Adobe!
Adobe - HackerOne
critical - Disclosure of github access token in config file via nignx off-by-slash
## Summary: `` is vulnerable to Nginx off-by-slash vulnerability that exposes Git configuration. ## Steps To Reproduce: 1. Visit `https://` to download git config containing username and token. 2. Use it to pull entire source code via `git clone ` Leaked: ``` [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote...
www-users.cs.umn.edu
Detecting Missed Security Operations Through Differential Checking of Object-based Similar Paths
ZS)HxcNjWb(n#RKrv-PnG-p(TrF9qe>bkX~$U|kHeo |%ki_7]=jgx,MZ:\^Um9%{M}{ 3 pr,pE@b:34O^i...
www-users.cs.umn.edu
CPscan: Detecting Bugs Caused by Code Pruning in IoT Kernels
1"!v#0'(mQ $ $i4 we5i<W=KMRB A!mp2(Grd(cZF Moti \ZK"yrP6Dw7yo$.9*m;yMgf...
www-users.cs.umn.edu
Static Detection of Unsafe DMA Accesses in Device Drivers
%PDF-1.7 % 730 0 obj endobj 755 0 obj /Filter/FlateDecode/ID[ ]/Index[730 47]/Info 729 0 R/Length 117/Prev 1713326/Root 731 0 R/Size 777/Type/XRef/W[1 3 1]>>stream hbbd```b``U  E,rn\...
www-users.cs.umn.edu
Detecting Kernel Refcount Bugs with Two-Dimensional Consistency Checking
%PDF-1.5 % 630 0 obj endobj 656 0 obj /Filter/FlateDecode/ID[ ]/Index[630 47]/Info 629 0 R/Length 121/Prev 628323/Root 631 0 R/Size 677/Type/XRef/W[1 3 1]>>stream hbbd```b`` "vI<d&@...
www-users.cs.umn.edu
OS-Aware Vulnerability Prioritization via Differential Severity Analysis
I am an assistant professor in the Computer Science & Engineering Department of the University of Minnesota--Twin Cities. I research and teach systems security. My primary research lies at the inte...
www-users.cs.umn.edu
Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization
%PDF-1.5 % 355 0 obj > endobj 356 0 obj > /W [ 1 3 1 ] /Index [ 355 301 ] /Info 64 0 R /Root 357 0 R /Size 656 /Prev 769218 /ID [ ] >> stream xcbd`g`b``8 "@$0&H dY "H!9$...
www-users.cs.umn.edu
iFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware
%PDF-1.5 % 2 0 obj << /Length 74 /Filter /FlateDecode >> stream x357U0P F )\@>L,CKd!eba26"X@lM4q endstream endobj 4 0 obj << ...
popl21.sigplan.org
Cross-Architecture Testing for Compiler-Introduced Security Bugs
Todays computer systems are insecure. The semantics of mainstream low-level languages like C provide no security against devastating vulnerabilities like buffer overflows and control-flow hijacking. Even for safer languages, establishing security with respect to the languages semantics does not prevent low-level attacks. All the abstraction and security guarantees of the source language may be lost when interacting with low-level code, e.g., when using libraries. Secure compilation is an emerging field that puts together advances in programming languages, security, verification, systems ...
www-users.cs.umn.edu
Unleashing Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing
%PDF-1.5 % 447 0 obj endobj 484 0 obj /Filter/FlateDecode/ID[ ]/Index[447 156]/Info 446 0 R/Length 130/Prev 218310/Root 448 0 R/Size 603/Type/XRef/W[1 2 1]>>stream hbbd``b`M`:bMM...
Project Zero Bug Tracker
Windows: EFSRPC Arbitrary File Upload EoP
Project Zero Bug Tracker
Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization
Project Zero Bug Tracker
Chrome: Interface ID reuse leading to memory corruption in IPC::ChannelAssociatedGroupController
Zero Day Initiative
Pwn2Own Vancouver Returns for the 15th Anniversary of the Contest
Jump to the contest rules Starting in 2007, Pwn2Own has grown from a small, browser-focused event to become&nbsp;one of the most well-known security contests in the industry. Back then, a successful exploit earned a MacBook and $10,000 for the winner. This past year, the ZDI awarded over $2.5
Zenly - HackerOne
high - Account Takeover via SMS Authentication Flow
An attacker could have taken over a future user account by abusing the session creation endpoint, which was consistently returning the same session token (although not yet valid) for the same user. Once the legitimate user validates the SMS code for that session token, the session would have become valid for both the legitimate user and the attacker.
SSD Secure Disclosure
SSD Advisory – Uniview PreAuth RCE
Find out how the Chrome Ad-Heavy detection mechanism can be bypassed, bypassing the mechanism would allow ads that are breaching the restrictions imposed by Chrome to still run.
Nord Security - HackerOne
critical - CSRF to change password
Description Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. I have found CSRF to change password , POC <html> <body> <form action="https://nordvpn.com/profile/"...
Gener8 - HackerOne
high - Clickjacking to change email address
##Summary Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It allows remote attackers to...
Rhino Security Labs
CVE-2021-41577: MITM to RCE in EVGA Precision X1
Precision X1 is a software overclocking tool released by EVGA, which has recently received CVE-2021-41577.
talosintelligence.com
Adobe Acrobat Reader Javascript event.richValue use-after-free vulnerability
Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos. Summary A use-after-free vulnerability exists in the way certain events are handled in Adobe Acrobat Reader 21.007.20091. A specially...
talosintelligence.com
Adobe Acrobat Reader DC annotation gestures integer overflow vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos. Summary An integer overflow vulnerability exists in the way Adobe Acrobat Reader DC 2021.007.20099 supports annotation interactions through javascri...
talosintelligence.com
Google Chrome WebRTC RTPSenderVideoFrameTransformerDelegate memory corruption vulnerability
Discovered by Marcin Towalski of Cisco Talos. Summary A memory corruption vulnerability exists in the WebRTC functionality of Google Chrome 92.0.4515.159 (Stable) and 95.0.4623.0 (Canary). A specia...
Praetorian
Log4J Detector Tool
Summary The Log4Shell vulnerability exposed a remote code execution condition in multiple versions of the popular Apache Log4J2 logging library. Disclosure of the vulnerability and patch release were followed shortly by broad exploitation. Attackers reportedly ranged from hobbyists to mature adversaries. Obfuscation of attack traffic and sophisticated weaponization of the exploit soon followed. Companies were [&hellip;]
Project Zero - Root Cause Analysis
CVE-2021-38000: Chrome Intents Logic Flaw
Information about 0-days exploited in-the-wild!
Project Zero Bug Tracker
Linux: unix GC memory corruption by resurrecting a file reference through RCU
Project Zero Bug Tracker
Chrome: heap-use-after-free in storage::BlobURLStoreImpl::Revoke
Zero Day Initiative
The Top 5 Bugs Submitted in 2021
As the new year begins, we thought it would be fun to look back at some of the best bugs submitted during 2021. We had another record-breaking year, with over 1,600 advisories published. In the end, we came up with the following submissions from 2021 that stood out from the pack. Without furth
Atredis Partners
Unauthenticated Remote Code Execution Chain in SysAid ITIL -- CVE-2021-43971, CVE-2021-43972, CVE-2021-43973, CVE-2021-43974
Atredis Partners found a chain of vulnerabilities in the ITIL product offering by SysAid during personal research. Other competitors to this SysAid product are ManageEngine, Remedy, or other ticketing and workflow systems. The full chain of issues allows an unauthenticated attacker to gain full admi
Project Zero Bug Tracker
XNU: heap-use-after-free in inm_merge
Twitter - HackerOne
ian
high - Subdomain takeover of images.crossinstall.com
## Summary images.crossinstall.com points to an AWS S3 bucket that no longer exists. I was able to take control of this bucket and put my own content onto it. I can now serve content on this domain, obtain a TLS certificate for this domain, etc. If any customers or servers are pointing to anything within this domain, I could serve them arbitrary/malicious content. I could also use this in case...
PortSwigger Research
Top 10 web hacking techniques of 2021 - nominations open
Update: nominations are now closed, but voting is live! Cast your vote here. Nominations are now open for the top 10 new web hacking techniques of 2021! Every year security researchers share their dis