Cybersecurity information flow

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
[GitHub]CVE-2023-4596 Vulnerable Exploit and Checker Version

" WordPress的Forminator插件由于在上传文件到服务器后才进行文件类型验证，因此存在 arbitrary file uploads 漏洞。此漏洞存在于 versions up to，包括1.24.6版本的upload_post_image()函数中。这使得未经身份验证的攻击者可以在受影响网站的服务器上上传任意文件，可能导致远程代码执行。\n[GitHub] CVE-2023-4596 漏洞利用与检查器版本"

Medtronic MyCareLink Smart 25000 all versions are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.
[GitHub]A simulation of CVE-2020-27252 for CSC699.

" 麦迪逊MyCareLink Smart 25000所有版本均在MCL智能患者阅读器软件更新系统中的竞态条件中存在漏洞，这允许未经签名的固件在上传和执行患者阅读器。如果该漏洞被利用，攻击者可以在MCL智能患者阅读器设备上远程执行代码，从而导致设备失控。\n[GitHub]针对CSC699的CVE-2020-27252模拟。"

[GitHub]A simulation of CVE-2020-27252 for CSC699.

" [GitHub] 为CSC699模拟CVE-2020-27252。\n\n注：CVE-2020-27252 是一个通用漏洞索引（Common Vulnerabilities and Exposures，简称CVE）编号，CSC699可能是某门课程的编号。此处翻译为“为CSC699模拟CVE-2020-27252”，意为在一个名为CSC699的课程中模拟该漏洞。"

Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc.
[GitHub]CVE-2024-29895 | RCE on CACTI 1.3.X dev

" Cacti提供了一个运营监控和故障管理框架。1.3.x DEV分支上的命令注入漏洞允许任何未认证的用户在PHP的`register_argc_argv`选项设置为`On`时，在服务器上执行任意命令。在`cmd_realtime.php`的第119行，用作命令执行部分之一的`$poller_id`来源于`$_SERVER['argv']，当`register_argc_argv`选项设置为`On`时，该值可以被URL控制。而在许多环境中，如PHP的主Docker镜像，这个选项默认就是`On`。 Commit 53e8014d1f082034e0646edc6286cde3800c683d包含了一个修复此问题的补丁，但该提交在commit 99633903cad0de5ace636249de16f77e57a3c8fc中被回滚。\n[GitHub]CVE-2024-29895 | CACTI 1.3.X dev上的RCE（远程代码执行）漏洞"

The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions).
[GitHub]CVE-2024-31974

" com.solarized.firedown（又称Solarized FireDown浏览器&下载器）应用程序1.0.76 for Android 通过一个精心构造的intent，允许远程攻击者执行任意JavaScript代码。com.solarized.firedown.IntentActivity 使用WebView组件显示网页内容，但对通过任何已安装应用程序（无权限）传递的URI或任何附加数据并未进行充分消毒。\n[GitHub]CVE-2024-31974"

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
[GitHub]A submodule for exploiting CVE-2024-32002 vulnerability.

" Git 是一种版本控制系统。在 2.45.1、2.44.1、2.43.4、2.42.2、2.41.1、2.40.2 和 2.39.4 版本之前，可以利用 Git 中的一个漏洞来创建具有子模块的仓库，从而将文件写入 `.git/` 目录，而不是子模块的工作树。这允许在克隆操作仍在运行时编写一个钩子，使用户无法检查正在执行的代码。该问题已在 2.45.1、2.44.1、2.43.4、2.42.2、2.41.1、2.40.2 和 2.39.4 版本中修复。如果禁用了 Git 中的符号链接支持（例如通过 `git config --global core.symlinks false`），则所述攻击将无法生效。始终避免从不可信来源克隆仓库是最好的做法。\n[GitHub] 一个用于利用 CVE-2024-32002 漏洞的子模块。"

[GitHub]A submodule for exploiting CVE-2024-32002 vulnerability.

" [GitHub] 一个利用CVE-2024-32002漏洞的子模块。"

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
[GitHub]CVE-2018-6574-go-get-RCE

" 在1.8.7之前的Go版本、1.9.x之前的Go 1.9.4版本以及Go 1.10预发布版本（直至Go 1.10rc2）中，通过利用gcc或clang插件功能，由于未对“-fplugin=”和“-plugin=”参数进行拦截，允许在源代码构建过程中执行“go get”远程命令。\n[GitHub]CVE-2018-6574-go-get-RCE"

Hi, it’s David with BHIS! You’ll be saying, “Wow,” every time you use this tool. It’s like a shammy. It’s like a towel. It’s like a sponge. A regular towel […]
The post Introducing Squeegee: The Microsoft Windows RDP Scraping Utility appeared first on Black Hills Information Security.

" 嗨，我是BHIS的David！每次使用这个工具，你都会惊叹不已。它像一块麂皮，像一条毛巾，像一块海绵。普通的毛巾 […]\n本文首次发布于Black Hills信息安全。\n\n介绍Squeegee：Microsoft Windows RDP刮刀实用程序。"

After a slow and painful 2024 Cap10K, I ran the HEB Sunshine Run 10K on May 5th in 1:05:53, just 22 seconds faster, but without pain or surprises. After months without running several hours per week, my fitness has definitely fallen off a cliff. I either need to get back to the treadmill or restartContinue reading "Spring 2024 Updates"

" 在艰难的2024年Cap10K之后，我于5月5日参加了HEB阳光跑，以1小时5分53秒的成绩完成，仅比上次快了22秒，但没有疼痛和惊喜。在连续几个月每周没有跑步几小时的情况下，我的体能确实下降了很多。我需要在跑步机上重新开始锻炼，或者重新启动户外跑步。\n\nspring 2024 更新：\n\n在经历了漫长而痛苦的2024年Cap10K之后，我于5月5日参加了HEB阳光跑，成绩为1小时5分53秒，仅仅比上次快了22秒。然而这次跑步过程没有疼痛，也没有令人惊讶的地方。在连续几个月里，由于每周跑步时间不足几小时，我的体能已经大幅下滑。我必须在跑步机上重新开始锻炼，或者重新启动户外跑步计划。"

In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
[GitHub]CVE-2022-22978漏洞实例代码

" 在Spring Security版本5.5.6、5.5.7以及更早的不受支持的版本中，正则表达式请求匹配器（RegexRequestMatcher）可能被误配置以绕过某些servlet容器。使用正则表达式请求匹配器并包含`.`的应用程序可能存在授权绕过漏洞。\n[GitHub]CVE-2022-22978漏洞实例代码"

[GitHub]PoC for CVE-2024-27130

" [GitHub] 针对CVE-2024-27130的证明概念"

2024年4月30日，美国白宫发布《关于关键基础设施安全和弹性的国家安全备忘录》。

motikan2010 starred dependabot/dependabot-core · May 17, 2024 08:47
dependabot/dependabot-core
🤖 Dependabot's core logic for creating update PR's.
Ruby
4.3k Updated May 17

" motikan2010 星标 dependabot/dependabot-core · 2024年5月17日 08:47\ndependabot/dependabot-core\n🤖 创建更新 PR 的核心逻辑。\nRuby\n4.3k 更新于 May 17"

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
[GitHub]CVE-2019-9054 exploit added support for python3 + bug fixes

" 在CMS Made Simple 2.2.8中发现了一个问题。通过精心构造的URL，新闻模块可能导致未经身份验证的盲目的基于时间的SQL注入，通过m1_idlist参数实现。\n[GitHub] CVE-2019-9054漏洞利用新增了对python3的支持+修复了bug。"

[GitHub]CVE-2024-31974

" [GitHub] CVE-2024-31974\n\n将上述链接中的英文翻译为中文，内容为：“GitHub上的CVE-2024-31974”。这是一个关于网络安全漏洞的标识，CVE（Common Vulnerabilities and Exposures）是公共漏洞和暴露的缩写，用于命名网络安全漏洞。此处表示2024年发现的某个漏洞，编号为31974。"

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5.
[GitHub](CVE-2024-33559) The XStore theme for WordPress is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

" 不恰当的对SQL命令中使用的特殊元素进行中和('SQL注入')漏洞在8主题XStore中允许SQL注入。此问题影响XStore：从n/a到9.3.5。\n[GitHub](CVE-2024-33559) 由于用户提供的参数不足的转义和现有SQL查询准备不足，WordPress的XStore主题易受SQL注入攻击。"

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
[GitHub]CVE-2016-10033 Wordpress 4.6 Exploit

" 在PHPMailer的isMail传输模块中的mailSend函数在5.2.18版本之前可能允许远程攻击者通过构造发送者属性中的\\\"（反斜杠双引号）向邮件命令传递额外参数，从而通过执行任意代码来攻击。\n[GitHub]CVE-2016-10033 Wordpress 4.6漏洞利用"

A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376.
[GitHub]obride with CVE-2018-25075

" 发现了一个被列为严重的漏洞，位于karsany OBridge 1.3版本之前。受到影响的是文件obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java中的getAllStandaloneProcedureAndFunction功能。该操作导致SQL注入。攻击的复杂度相当高。利用难度被认为较大。升级到1.4版本可以解决这个问题。补丁的名称是52eca4ad05f3c292aed3178b2f58977686ffa376。建议升级受影响的组件。此漏洞的标识符为VDB-218376。\n[GitHub] obride 与 CVE-2018-25075"

Topic: VSP Softtech - Blind Sql Injection Risk: Medium Text:********************************************************* #Exploit Title: VSP Softtech - Blind Sql Injection #Date: 2024-05-1...

" 主题：VSP Softtech - 盲注SQL注入风险：中等\n文本：*********************************************************\n# 漏洞名称：VSP Softtech - 盲注SQL注入\n# 日期：2024-05-1..."

Topic: Zope 5.9 Command Injection Risk: Medium Text:# Vulnerability Report ## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to R...

" 主题：Zope 5.9 命令注入风险：中等\n\n文本：# 漏洞报告\n## 标题：Zope WSGI 实例创建脚本中的命令参数注入漏洞导致远程代码执行\n\n中等风险：在 Zope 5.9 中，WSGI 实例创建脚本中的命令注入漏洞可能导致远程代码执行。攻击者可以通过发送恶意构造的请求来利用此漏洞，从而在受影响的系统上执行任意代码。\n\n为确保安全，请及时更新至 Zope 5.9.1 版本，该版本已修复此漏洞。在安装更新之前，请确保备份您的数据和配置文件。更新完成后，请确保对您的系统进行安全审计，以确保不存在其他潜在的安全隐患。\n\n请注意，遵循最佳实践和安全规范是保护您的 Zope 服务器免受攻击的关键。我们建议您定期更新软件版本、限制用户权限、使用安全配置参数，并确保对所有可疑活动进行实时监控。如有需要，请随时联系我们获取更多安全建议。"

Topic: SAP Cloud Connector 2.16.1 Missing Validation Risk: Medium Text:SEC Consult Vulnerability Lab Security Advisory < 20240513-0 > == title: Tolerating Sel...

" 主题：SAP Cloud Connector 2.16.1 缺失验证风险：中等\n文本：SEC Consult 漏洞实验室安全咨询 <20240513-0>\n== 标题：容忍自我签名证书的SAP Cloud Connector 2.16.1存在中等风险的验证缺失\n\nSEC Consult 漏洞实验室警告：SAP Cloud Connector 2.16.1版本在处理自我签名证书时存在验证风险。未经授权的用户可能利用此漏洞实施中间人攻击，窃取或篡改数据。建议用户升级到最新版本以消除风险。"

Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party vendor. MediSecure is a company that provides digital health solutions, particularly focusing on secure electronic prescription delivery services in Australia. The company was forced to shut down its website and phone lines following a cyber attack, but it did not […]

" 澳大利亚的电子处方提供商MediSecure遭受了一起可能源自第三方供应商的勒索软件攻击。MediSecure是一家提供数字健康解决方案的公司，尤其在澳大利亚专注于安全电子处方交付服务。在遭受网络攻击后，该公司被迫关闭其网站和电话线路，但并未透露此次攻击的具体细节。"

Topic: Plantronics Hub 3.25.1 Arbitrary File Read Risk: High Text:# Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read # Date: 2024-05-10 # Exploit Author: Farid Zerrouk from Deloi...

" 主题：Plantronics Hub 3.25.1 任意文件读取风险：高\n\n文本：# 漏洞名称：Plantronics Hub 3.25.1 – 任意文件读取\n# 日期：2024-05-10\n# 漏洞作者：Farid Zerrouk 来自 Deloi..."

Topic: CrushFTP Directory Traversal Risk: Medium Text:## Exploit Title: CrushFTP Directory Traversal ## Google Dork: N/A # Date: 2024-04-30 # Exploit Author: [Abdualhadi khalifa ...

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
[GitHub]CVE-2024-4352 Tutor LMS Pro <= 2.7.0 - Missing Authorization to SQL Injection

" WordPress的Tutor LMS Pro插件存在数据未经授权访问、数据篡改以及因在'get_calendar_materials'函数中缺少能力检查而导致的数据丢失风险。该插件还因对用户提供的参数进行不足的转义和现有SQL查询准备不足，而容易受到SQL注入攻击，通过该函数的'year'参数。这使得经过身份验证的攻击者（具有订阅者级别权限及以上的用户）可以将附加的SQL查询添加到已存在的查询中，从而从数据库中提取敏感信息。\n\n[GitHub]CVE-2024-4352 Tutor LMS Pro <= 2.7.0 - 缺少SQL注入授权"

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
[GitHub]Demonstration of CVE-2020-0601 aka curveball. Based on the PoC's available at https://github.com/kudelskisecurity/chainoffools and https://github.com/ly4k/CurveBall

" 一种伪造漏洞存在于Windows CryptoAPI（Crypt32.dll）验证椭圆曲线密码学（ECC）证书的方式中。攻击者可以通过使用伪造的代码签名证书来签名恶意可执行文件，使其看似来自可信、合法的来源，即“Windows CryptoAPI伪造漏洞”。\n[GitHub]展示了CVE-2020-0601，也称为curveball。基于https://github.com/kudelskisecurity/chainoffools和https://github.com/ly4k/CurveBall上的证明文件。"

[GitHub]CVE-2024-4352 Tutor LMS Pro <= 2.7.0 - Missing Authorization to SQL Injection

" [GitHub] CVE-2024-4352 Tutor LMS Pro <= 2.7.0 - 缺失SQL注入授权\n\n（注：CVE-2024-4352 是漏洞编号，Tutor LMS Pro 是一款学习管理系统，2.7.0 是版本号，SQL 注入是一种攻击技术。）"

因为经常做一些自动化的工作，所以我会写一些脚本，不管是用无头浏览器去获取一些网站的内容，还是利用apple s […]

This is Part Two of the blog series, Offensive IoT for Red Team Implants, so if you have not read PART ONE, I would encourage you do to so first […]
The post Offensive IoT for Red Team Implants (Part 2) appeared first on Black Hills Information Security.

" 这是“红队植入物的进攻性物联网”系列博客的第二部分，所以如果你还没有阅读第一部分，我建议你先阅读一下 […]\n该文章首发于Black Hills Information Security。\n\n这是“红队植入物的进攻性物联网”系列博客的第二部分，如果你还没有阅读第一部分，我建议你先阅读 […]\n原文发表于Black Hills Information Security。"