• Re: Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config:
https://seclists.org/oss-sec/2024/q2/141
・ 利用pkg-config文件和Makefile中的漏洞创建后门的新方法
– SecTodayBot
• CVE-2024-24576 Windows 下多语言命令注入漏洞分析:
https://programlife.net/2024/04/14/cve-2024-24576-rust-command-injection-vulnerability/
・ 介绍了近期由Flatt Security Inc.的RyotaK披露的Windows下多个编程语言的命令注入漏洞(BatBadBut)。漏洞影响面广,涉及Rust、PHP、Python和Node.js等多种编程语言
– SecTodayBot
• flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88:
https://seclists.org/oss-sec/2024/q2/143
・ Flatpak系统中的新漏洞CVE-2024-32462导致了沙箱逃逸。
– SecTodayBot
• DOM element relationships - Shazzer:
https://shazzer.co.uk/vectors/661643e2ba182c3f1f1b4c1e
・ 讨论了在网络安全技术中DOM元素之间的关系,特别是针对XSS向量。
– SecTodayBot
• Online Fire Reporting System OFRS - SQL Injection Authentication Bypass:
https://dlvr.it/T5SZhs
・ 披露了一个在线火灾报告系统中的SQL注入漏洞
– SecTodayBot
• Non-Deterministic Nature of Prompt Injection:
https://research.nccgroup.com/2024/04/12/non-deterministic-nature-of-prompt-injection/
・ 论了提示注入的非确定性特性,以及这对漏洞的识别和利用有着怎样的影响
– SecTodayBot
• Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter:
https://dlvr.it/T5QXhG
・ 介绍了Moodle中一种新的Time-Based Blind SQL Injection漏洞
– SecTodayBot
• libreswan: IKEv1 default AH/ESP responder can crash and restart:
https://seclists.org/oss-sec/2024/q2/140
・ libreswan软件的一个新漏洞,详细分析了漏洞的根本原因。漏洞编号为CVE-2024-3652,虽然不能实现远程代码执行,但仍然具有中等严重性。
– SecTodayBot
• How a Race Condition Vulnerability Could Cast Multiple Votes:
https://www.hackerone.com/vulnerability-management/sherrets-race-condition?utm_medium=Organic-Social&utm_source=organic&utm_campaign=undefined&utm_content=Blog&utm_term=undefined
・ 竞争条件漏洞的详细分析
– SecTodayBot
• Ray OS 2.6.3 Command Injection:
https://packetstormsecurity.com/files/178034
・ 揭示了Ray OS v2.6.3中的新漏洞(CVE-2023-6019),详细分析了命令注入RCE的根本原因
– SecTodayBot
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab