最近更新
时间 | 节点 | |
---|---|---|
2023年9月22日 21:37 | 知名组件CVE监控 |
有新的漏洞组件被发现啦,组件ID:Jenkins Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. |
2023年9月22日 21:37 | 知名组件CVE监控 |
有新的漏洞组件被发现啦,组件ID:Jenkins Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. |
2023年9月22日 21:37 | Data Breach – Security Affairs |
Air Canada, the flag carrier and largest airline of Canada, announced that the personal information of some employees was exposed as a result of a recent cyberattack. Air Canada, the flag carrier and largest airline of Canada, announced that threat actors had access to the personal information of some employees during a recent cyberattack. “An […] The post Information of Air Canada employees exposed in recent cyberattack appeared first on Security Affairs. |
2023年9月22日 21:36 | 知名组件CVE监控 |
有新的漏洞组件被发现啦,组件ID:F5 D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function sub_2EF50. This vulnerability allows attackers to execute arbitrary commands via the manual-time-string parameter. |
2023年9月22日 21:35 | 知名组件CVE监控 |
有新的漏洞组件被发现啦,组件ID:Apache plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `plone.rest` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache). |
2023年9月22日 21:35 | Light Blue Touchpaper |
I was delighted by two essays by Anton Howes on The Replication Crisis in History Open History. We computerists have long had an open culture: we make our publications open, as well as sharing the software we write and the data we analyse. My work on security economics and security psychology has taught me that … Continue reading Extending transparency, and happy birthday to the archive → |
2023年9月22日 21:31 | 知名组件CVE监控 |
有新的漏洞组件被发现啦,组件ID:Yii web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.
😕
2
|
2023年9月22日 21:31 | T00ls论坛 | |
2023年9月22日 21:31 | T00ls论坛 |
👍
1
|
2023年9月22日 21:11 | Github关注 | |
2023年9月22日 21:01 | Github_POC |
ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious `X-HTTP-Method-Override` header value to bypass JWT authentication in specific cases. ESPv2 allows malicious requests to bypass authentication if both the conditions are true: The requested HTTP method is **not** in the API service definition (OpenAPI spec or gRPC `google.api.http` proto annotations, and the specified `X-HTTP-Method-Override` is a valid HTTP method in the API service definition. ESPv2 will forward the request to your backend without checking the JWT. Attackers can craft requests with a malicious `X-HTTP-Method-Override` value that allows them to bypass specifying JWTs. Restricting API access with API keys works as intended and is not affected by this vulnerability. Upgrade deployments to release v2.43.0 or higher to receive a patch. This release ensures that JWT authentication oc [ |
2023年9月22日 19:38 | Stories by SAFARAS K A on Medi |
Summary In this article I will explain what Cross-Site Scripting (XSS) is and show you how attackers can exploit XSS. For example, how an attacker can grab the victim’s stored browser passwords. Source: https://www.reddit.com/r/xss/ Disclaimer This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on. Details Cross-site scripting (XSS) is a web security vulnerability that allows attackers to compromise user interaction with vulnerable web applications. In a cross-site scripting attack, an attacker injects malicious browser-side script into a trusted website. Since the script runs on the target website, no Same Origin Policy (SOP) restrictions are triggered. Assuming the script comes from a trusted source, the script can access cookies, session tokens, or other sensitive information stored in |
2023年9月22日 19:31 | Github关注 |
The Network Execution Tool |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
分析 Agniane Stealer |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
WebP 图像库中的堆缓冲区溢出 |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
在多个服务器上使用高并行度运行 AFL++ |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
高级 root 检测和绕过技术,以名为 RootDetector 的 root 检测应用程序为示例的分析 |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
无需 VirtualProtect,解除 Crowdstrike Falcon 的系统钩子 |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
向 Android 14 中注入系统 CA 证书的新方法 |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
PyPI 中分发恶意包的新方法,以及包管理器和安全扫描工具如何以不同的方式解决依赖关系 |
2023年9月22日 19:11 | T00ls论坛 | |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
ssl.SSLSocket 容易绕过 TLS 握手,将发送的未加密数据视为握手后 TLS 加密数据 |
2023年9月22日 19:11 | 腾讯玄武实验室推送 |
SolarWind平台中的反序列化远程代码执行漏洞 |
2023年9月22日 18:51 | freebuf |
站在安全部门角度(非合规),在参与公司个人信息合规管理体系建设中理想的角色是怎么样的? |
2023年9月22日 18:51 | 360安全客 | |
2023年9月22日 18:51 | 看雪论坛 |
据了解,攻击者可以利用此漏洞访问敏感信息,或使用所冒充用户的提升权限来访问或修改源代码,或在系统上运行任意代码。
🎉
1
|
2023年9月22日 18:31 | 绿盟科技博客 |
近期,绿盟科技伏影实验室在日常威胁狩猎过程中发现了一种依托钓鱼文档的新型攻击流程。
👍
1
|
2023年9月22日 17:51 | Github关注 |
A simple tool for extracting files from iOS backup archive. |
2023年9月22日 17:39 | 绿盟科技博客 |
近日,绿盟科技CERT监测到用友官方发布安全通告,修复了用友U8Cloud ServiceDispatcher接口存在的反序列化漏洞。 |
2023年9月22日 17:39 | 绿盟科技博客 |
近日,绿盟科技CERT监测到Apple官方修复了多个产品中的3个0day漏洞。 |