Home
A web cache deception issue was reported by @bombon
For the exploit to trigger, the victim must be logged-in to Glassdoor and must also visit an attacker-controlled page that makes the victim hit the caching page, programmatically fetch the cached CSRF token (gdToken), and forge and send a request on the victim's behalf leading to CSRF attacks.
We have resolved this by eliminating the caching...
Bug Bounty Automation is the key to success for many expert bug bounty hunters including Hakluke. He walks through how he does it.
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the process_msg() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A special...
Discovered by Lilith >_> of Cisco Talos. Summary A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h...
Discovered by Lilith >_> of Cisco Talos. Summary An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homeba...
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RSA_KEY_REQUEST functionality of the home_security binary of Anker Eufy Homebase...
Discovered by Lilith >_> of Cisco Talos. Summary An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2....
Find out how the Chrome Ad-Heavy detection mechanism can be bypassed, bypassing the mechanism would allow ads that are breaching the restrictions imposed by Chrome to still run.
TLDR I woke up one day and realized I didn't know much about the FIX protocol. So I spent a few days looking into it and then created a Burp extension to make my life easier. Then I thought, why no...
## Summary:
Blind Cross-Site Scripting (XSS) was discovered at Digital Ocean Partners admin panel/dashboard where an attacker can run arbitrary Javascript Code at victims' end. Due to the absence of an HTTPonly cookie, an attacker can successfully steal the cookies of the user and use them to login to the system.
## Steps To Reproduce:
1. Go to https://partners.digitalocean.com/ and click...
There is a lot of legacy software running all over the network. This is an excellent example of technological debt. And the debt means that we are borrowing. We borrow time before compromise. Its quite easy to identify that some software or system is outdated and no longer supported. Yet, it seems that no one ...
Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one
CVE-2021-21924,CVE-2021-21925,CVE-21926,CVE-2021-21927,CVE-2021-21928,CVE-2021-21929,CVE-2021-21930,CVE-2021-21931,CVE-2021-21932,CVE-2021-21933,CVE-2021-21934,CVE-2021-21935,CVE-2021-21936,CVE-202...
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the company_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-cra...
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the user_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafte...
Discovered by Yuri Kramarz of Cisco Talos. Summary A privilege escalation vulnerability exists in the Windows version of installation for Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021). ...
Discovered by Marcin 'Icewall' Noga of Cisco Talos. Summary A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.8 and 5.9. A specially-crafted malfor...
Discovered by Yuri Kramarz of Cisco Talos. Summary Multiple exploitable SQL injection vulnerabilities exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-craft...
A privilege escalation vulnerability was identified in Lark which could have potentially allowed an attacker to approve the apps in the same tenant by bypassing the admin approval. We thank @imran_nisar for reporting this to our team.
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for...
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for...
In this installment of our MindShaRE series, ZDI vulnerability researcher Michael DePlante describes how he uses the IO Ninja tool for reverse engineering and software analysis. According to its website , IO Ninja provides an all-in-one terminal emulator, sniffer, and protocol analyzer. The t
### Summary
I am continue investigating #1106238 and found additional vector for prototype pollution and stored xss.
### Steps to reproduce
1. Create an issue in any repository
2. Create mermaid diagram with following payload:
```
%%{init: { '__proto__': {'template': '<iframe xmlns=\"http://www.w3.org/1999/xhtml\" srcdoc=\"<script...
In this post, Ill use three bugs that I reported to Qualcomm in the NPU (neural processing unit) driver to gain arbitrary kernel code execution as root user and disable SELinux from the untrusted app sandbox in an Android phone.
In this report, the researcher discovered and demonstrated a method to hijack access to a Social Club account via a previously-linked Epic Games or Steam account.
To perform the attack, the attacker first needed access to a Steam or Epic Games account with entitlement to a game with Social Club connectivity (such as GTAV or RDR2) and that had previously been linked to a Social Club account...
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .d...
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-cr...
Discovered by Lilith >_> of Cisco Talos. Summary A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-c...
Introduction A Vulnerability Researchers Favorite Stress Relief Continuing in our series of research findings involving Netgear 1 produc...
Introduction
### Summary
Gitlab is using the ruby gem "rouge" which has a ReDoS vulnerability. In rouge, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have cubic worst-case complexity and are vulnerable to Regular Expression Denial of Service (ReDoS). By crafting malicious input, an attacker can cause Denial of Service.
In Gitlab, rouge...
## Summary:
Hello,
When hunting for your web application.
I have managed to go https://cars.fas.gsa.gov/cars/cars and get displayed with a form.
I have already tried to login to Cars and without success.
However i've noticed the loginChk() function and change the value of the form hence bypassing it and logging in succesfuly.
## Steps To Reproduce:
1. go to...
Victure's WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device.
Posted by Jonathan Metzman, Google Open Source Security Team In recent years, continuous fuzzing has become an essential part of the softwa...
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these...
Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to be used to integrate with the Stark Bank ecosystem, but are also accessible on popular package manager platforms in order to be used by other projects. The node package manager reports around 16k weekly downloads for the ecdsa-node implementation while the Python implementation boasts over 7.3M downloads in the last 90 days on PyPI. A number of these libraries suffer from a vulnerability in the signature verification functions, allowing attackers to forge signatures for arbitrary messages which successfully verify with any public key.
