Home
Unsanitized input from CLI argument flows into `io.ioutil.ReadFile`, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
See this fix : https://github.com/hyperledger/fabric/pull/3573
## Impact
There is a path traversal vulnerability in the source code of fabric
Today at the Black Hat USA conference , we announced some new disclosure timelines. Our standard 120-day disclosure timeline for most vulnerabilities remains, but for bug reports that result from faulty or incomplete patches, we will use a shorter timeline. Moving forward, the ZDI will adopt a tier
Information about 0-days exploited in-the-wild!
A deep dive into an in-the-wild Android exploit Guest Post by Xingyu Jin, Android Security Research This is part one of a two-part guest...
The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessib
Posted by Eduardo Vela, Exploit Critic Cover of the medieval cookbook. Title in large letters kernel Exploits. Adorned. Featuring a small pe...
Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems - GitHub - sslab-gatech/RoboFuzz: Fuzzing framework for Robot Operating System (ROS) and ROS-based robotic systems
An account takeover was detected with our sign-up with Apple flow where an email parameter was manipulated in the request flow to our servers. This scenario can only be performed on a previously unlinked apple ID account with Glassdoor. Changing the email in the request flow allowed the researcher to takeover a dummy account and performed the actions on a dummy account without the user knowing...
HackerOne has an internal backend interface that gives debugging capabilities to its engineers. One of the features is the ability to run `EXPLAIN ANALYZE` queries against a connected database. This feature is accessible by a handful of engineers. The feature is vulnerable to a SQL injection that allows an attacker to escape the transaction that is wrapped around the `EXPLAIN ANALYZE` query....
The Praetorian Red Team outlines modernized phishing techniques they use to identify gaps in real-world enterprises' deeply trusted services.
New attack on certificate transparency reveals previously unknown domains!
This blog post will first give a brief overview of obfuscation based on Mixed-Boolean-Arithmetic (MBA), how it has historically been attacked and what are the known limitations. The main focus will then shift to an extension of the oracle-based synthesis approach, detailing how combining program synthesis with the equality saturation technique produces significantly more simplification opportunities. Finally, a set of examples spanning from different MBA categories over unsolved limitations up to future work ideas will hopefully serve as food for thoughts to the reader. Across the post, references to existing research are provided to delve into additional details and deepen the understanding of the topics.
By Rohit Bhatia, Mollie Bates, Google Chrome Security There are various threats a user faces when browsing the web. Users may be tricked ...
Bad handling by Apple Safari allows attackers to use certain look-alike characters instead of the real ones allow attackers to confuse victims into thinking they are reach a certain site, while they are accessing another one.
## Summary:
Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb
## Steps To Reproduce:
Request:
PUT /codeslayer137.txt HTTP/1.1
Host: downloader.ratelimited.me
Content-Length: 21
Connection: close
Testing By CodeSlayer
Response:
HTTP/1.1...
## fabric-ca server
- Default configuration maxenrollments value -1(enable outside enrollment)
- Listening 0.0.0.0:7054(easily discoved and can be reached)
- No limit to wrong password try
Above conditions result in brute force to CA server admin account
## Impact
## Attack gain a high-level permissioned account to permissioned network and can add\delete\update\query
## Summary:
Xss vulnerability in mtn.bj in file name
## Steps To Reproduce:
1.Go to :
https://www.mtn.bj/business/ressources/formulaires/plan-de-localisation-de-compte/?next=https://www.mtn.bj/business/ressources/formulaires/formulaire-de-souscription/
2 - fill all inputs with any data
3 - in file upload upload a file with payload file name such as : "><img src=x...
Report Submission Form
## Summary:
A user with the permissions to create an ingress resource can obtain the ingress-nginx service account token which can list secrets is all namespaces (cluster wide).
## Kubernetes Version:
1.20 (should work on (1.21 as well)
## Component Version:
nginx ingress controller v1.0.4
## Steps To Reproduce:
I deployed the latest ingress-controller (v1.0.4).
I...
From business logic vulnerabilities to server-side request forgery, ethical hacker details how you can hack web applications in simple steps
James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so.
This post is the first in a series in which I will discuss more minor CORS-related issues and present lesser-known detection techniques. My primary audience is people on the offensive side, but folks on the defensive side may also find this series interesting.
## Summary:
There's no check if the user is moderator of the particular subreddit or not while trying to access the mod logs via gql.reddit.com by using operation id. You can change the parameter **subredditName** to any target subreddit name which is public or restricted and get access to mod logs of that subreddit.
## Steps To Reproduce:
+ Log into any account as an attacker and get the...
In web3 trust dependencies are fundamental to security. Awareness of the security impact other codebases have on your project is key.
Discovered by Jaewon Min of Cisco Talos. SUMMARY An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. A specially-crafted OLE file can lead to a heap buffer...
We identified five key AWS security trends of 2022, based on our analysis of their security related work. Here is why they matter.
Hi,
# Description
I've been researching new ways to steal OAuth codes and access-tokens using postMessage, and I found a way for me to steal the code and/or access-token from Apple-sign-in on reddit.com allowing a full account hijack of the account in Reddit.
The way it works is this:
1. Attacker prepares a `state`-parameter in its own browser from the regular Apple sign-in flow in Reddit....
**Summary:** The Rocket.Chat Desktop app passes the links users click on to Electron's `shell.openExternal()` function which can lead to remote code execution.
**Description:** The filtering on the URLs passed to `shell.openExternal()` is insufficient. An attacker can craft and send a link that when clicked will cause malicious code from a remote origin to be executed on the user's system. The...
Discovered by Carl Hurd of Cisco Talos. SUMMARY An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A hard-coded password vulnerability exists in the libcommonprod.so prod_change_root_passwd functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv ucloud_set_node_location functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
Discovered by Carl Hurd of Cisco Talos. SUMMARY An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-cra...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv addTimeGroup functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-...
Discovered by Carl Hurd of Cisco Talos. SUMMARY An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-c...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A denial of service vulnerability exists in the confctl_set_master_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted ...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specia...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted ...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confsrv confctl_set_app_language functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. ...
Discovered by Carl Hurd of Cisco Talos. SUMMARY A stack-based buffer overflow vulnerability exists in the confers ucloud_add_node_new functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A spe...
CVE-2022-24021,CVE-2022-24011,CVE-2022-24028,CVE-2022-24023,CVE-2022-24026,CVE-2022-24016,CVE-2022-24005,CVE-2022-24019,CVE-2022-24029,CVE-2022-24007,CVE-2022-24017,CVE-2022-24008,CVE-2022-24006,CV...
An XSS was found in Cactus, a project that is not part of the bounty program.
The report demonstrates a method of using up HelloFax credits by forging email requests. A fix for the issue has been released and it was applied for existing and new users through an automatic update.
An attacker could exploit this vulnerability by entering a victims HelloFax line number into a 3rd party mailer service.
The Email Routing feature enables Cloudflare users to create any number of custom email addresses and route all incoming messages to the user's preferred inboxes.
Due to a bug in zone ownership verification, it was possible to configure Email Routing to redirect e-mail messages for an unverified zone (with Email Routing enabled) to a different mailbox. In addition, the vulnerability allowed the...
## Summary
The Acronis True Image application has a SUID binary "Acronis True Image" that starts another binary "console" in the same directory. The SUID binary does some checks on "console" before it is run to make sure the correct binary is being run. By using a hardlink to the SUID binary we can coerice it to try and load "console" in a chosen directory we can write to. From this point we...
We provide an overview of CVE-2022-26809, CVE-2022-26923 and CVE-2022-26925, along with recommendations for mitigation.
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXis implementation of the SLP service , VMware provided workarounds to turn off th
The proper writeup of the bug can be found here at our blogpost https://blog.credshields.com/race-condition-in-tendermints-starport-7cebe176d935
The root cause of the bug was in function Transfer at
https://github.com/tendermint/starport/blob/7812125/starport/pkg/cosmosfaucet/transfer.go#L50-L74
We can notice in the code that each request to the faucet causes two actions to be made; one for...
We break down our approach to an automotive security assessment: authorized hacking on a car component to help clients stay a step ahead.