Cybersecurity information flow


了解更多 »

时间 节点
2023年9月22日 21:37 知名组件CVE监控
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.

2023年9月22日 21:37 知名组件CVE监控
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

2023年9月22日 21:37 Data Breach – Security Affairs
Air Canada, the flag carrier and largest airline of Canada, announced that the personal information of some employees was exposed as a result of a recent cyberattack. Air Canada, the flag carrier and largest airline of Canada, announced that threat actors had access to the personal information of some employees during a recent cyberattack. “An […]
The post Information of Air Canada employees exposed in recent cyberattack appeared first on Security Affairs.
2023年9月22日 21:36 知名组件CVE监控
D-LINK DWL-6610 FW_v_4.3.0.8B003C was discovered to contain a command injection vulnerability in the function sub_2EF50. This vulnerability allows attackers to execute arbitrary commands via the manual-time-string parameter.

2023年9月22日 21:35 知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less responsive. Patches are available in `` 2.0.1 and 3.0.1. Series 1.x is not affected. As a workaround, one may redirect `/++api++/++api++` to `/++api++` in one's frontend web server (nginx, Apache).

2023年9月22日 21:35 Light Blue Touchpaper
I was delighted by two essays by Anton Howes on The Replication Crisis in History Open History. We computerists have long had an open culture: we make our publications open, as well as sharing the software we write and the data we analyse. My work on security economics and security psychology has taught me that … Continue reading Extending transparency, and happy birthday to the archive →
2023年9月22日 21:31 知名组件CVE监控
web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

😕 2
2023年9月22日 21:31 T00ls论坛
2023年9月22日 21:31 T00ls论坛
2023年9月22日 21:11 Github关注
2023年9月22日 21:01 Github_POC
ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious `X-HTTP-Method-Override` header value to bypass JWT authentication in specific cases. ESPv2 allows malicious requests to bypass authentication if both the conditions are true: The requested HTTP method is **not** in the API service definition (OpenAPI spec or gRPC `google.api.http` proto annotations, and the specified `X-HTTP-Method-Override` is a valid HTTP method in the API service definition. ESPv2 will forward the request to your backend without checking the JWT. Attackers can craft requests with a malicious `X-HTTP-Method-Override` value that allows them to bypass specifying JWTs. Restricting API access with API keys works as intended and is not affected by this vulnerability. Upgrade deployments to release v2.43.0 or higher to receive a patch. This release ensures that JWT authentication oc
2023年9月22日 19:38 Stories by SAFARAS K A on Medi
In this article I will explain what Cross-Site Scripting (XSS) is and show you how attackers can exploit XSS. For example, how an attacker can grab the victim’s stored browser passwords.
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Cross-site scripting (XSS) is a web security vulnerability that allows attackers to compromise user interaction with vulnerable web applications. In a cross-site scripting attack, an attacker injects malicious browser-side script into a trusted website. Since the script runs on the target website, no Same Origin Policy (SOP) restrictions are triggered. Assuming the script comes from a trusted source, the script can access cookies, session tokens, or other sensitive information stored in 
2023年9月22日 19:31 Github关注
The Network Execution Tool
2023年9月22日 19:11 腾讯玄武实验室推送
分析 Agniane Stealer
2023年9月22日 19:11 腾讯玄武实验室推送
WebP 图像库中的堆缓冲区溢出
2023年9月22日 19:11 腾讯玄武实验室推送
在多个服务器上使用高并行度运行 AFL++
2023年9月22日 19:11 腾讯玄武实验室推送
高级 root 检测和绕过技术,以名为 RootDetector 的 root 检测应用程序为示例的分析
2023年9月22日 19:11 腾讯玄武实验室推送
无需 VirtualProtect,解除 Crowdstrike Falcon 的系统钩子
2023年9月22日 19:11 腾讯玄武实验室推送
向 Android 14 中注入系统 CA 证书的新方法
2023年9月22日 19:11 腾讯玄武实验室推送
PyPI 中分发恶意包的新方法,以及包管理器和安全扫描工具如何以不同的方式解决依赖关系
2023年9月22日 19:11 T00ls论坛
2023年9月22日 19:11 腾讯玄武实验室推送
ssl.SSLSocket 容易绕过 TLS 握手,将发送的未加密数据视为握手后 TLS 加密数据
2023年9月22日 19:11 腾讯玄武实验室推送
2023年9月22日 18:51 freebuf
2023年9月22日 18:51 360安全客
2023年9月22日 18:51 看雪论坛
🎉 1
2023年9月22日 18:31 绿盟科技博客
👍 1
2023年9月22日 17:51 Github关注
A simple tool for extracting files from iOS backup archive.
2023年9月22日 17:39 绿盟科技博客
近日,绿盟科技CERT监测到用友官方发布安全通告,修复了用友U8Cloud ServiceDispatcher接口存在的反序列化漏洞。
2023年9月22日 17:39 绿盟科技博客