每日安全动态推送(4-19)
2024-4-19 17:53:40 Author: mp.weixin.qq.com(查看原文) 阅读量:5 收藏

Tencent Security Xuanwu Lab Daily News

• Re: Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config:
https://seclists.org/oss-sec/2024/q2/141

   ・ 利用pkg-config文件和Makefile中的漏洞创建后门的新方法 – SecTodayBot

• CVE-2024-24576 Windows 下多语言命令注入漏洞分析:
https://programlife.net/2024/04/14/cve-2024-24576-rust-command-injection-vulnerability/

   ・ 介绍了近期由Flatt Security Inc.的RyotaK披露的Windows下多个编程语言的命令注入漏洞(BatBadBut)。漏洞影响面广,涉及Rust、PHP、Python和Node.js等多种编程语言 – SecTodayBot

• flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88:
https://seclists.org/oss-sec/2024/q2/143

   ・ Flatpak系统中的新漏洞CVE-2024-32462导致了沙箱逃逸。 – SecTodayBot

• DOM element relationships - Shazzer:
https://shazzer.co.uk/vectors/661643e2ba182c3f1f1b4c1e

   ・ 讨论了在网络安全技术中DOM元素之间的关系,特别是针对XSS向量。 – SecTodayBot

• Online Fire Reporting System OFRS - SQL Injection Authentication Bypass:
https://dlvr.it/T5SZhs

   ・ 披露了一个在线火灾报告系统中的SQL注入漏洞 – SecTodayBot

• Non-Deterministic Nature of Prompt Injection:
https://research.nccgroup.com/2024/04/12/non-deterministic-nature-of-prompt-injection/

   ・ 论了提示注入的非确定性特性,以及这对漏洞的识别和利用有着怎样的影响 – SecTodayBot

• Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - "sort" parameter:
https://dlvr.it/T5QXhG

   ・ 介绍了Moodle中一种新的Time-Based Blind SQL Injection漏洞 – SecTodayBot

• libreswan: IKEv1 default AH/ESP responder can crash and restart:
https://seclists.org/oss-sec/2024/q2/140

   ・ libreswan软件的一个新漏洞,详细分析了漏洞的根本原因。漏洞编号为CVE-2024-3652,虽然不能实现远程代码执行,但仍然具有中等严重性。 – SecTodayBot

• How a Race Condition Vulnerability Could Cast Multiple Votes:
https://www.hackerone.com/vulnerability-management/sherrets-race-condition?utm_medium=Organic-Social&utm_source=organic&utm_campaign=undefined&utm_content=Blog&utm_term=undefined

   ・ 竞争条件漏洞的详细分析 – SecTodayBot

• Ray OS 2.6.3 Command Injection:
https://packetstormsecurity.com/files/178034

   ・ 揭示了Ray OS v2.6.3中的新漏洞(CVE-2023-6019),详细分析了命令注入RCE的根本原因 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959608&idx=1&sn=8e558bf5fc70798f2210a04618503599&chksm=8baed1a7bcd958b170fa0692d848c0754e82bc1c5c5781c5c7fe7f125b3d04875d4f854ee656&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh