每日安全动态推送(7-11)
2024-7-11 14:44:33 Author: mp.weixin.qq.com(查看原文) 阅读量:9 收藏

Tencent Security Xuanwu Lab Daily News

• Pwn2Own: WAN-to-LAN Exploit Showcase:
https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase

   ・ 介绍了团队在Pwn2Own 2023 Toronto IoT黑客大赛中参与并利用TP-Link ER605路由器和Synology BC500 IP摄像头的经历。他们展示了如何通过广域网入侵设备并进入本地网络,以牵连物联网设备。 – SecTodayBot

• Hidden between the tags: Insights into spammers’ evasion techniques in HTML Smuggling:
https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/

   ・ 介绍了网络攻击者利用HTML附件或网页中嵌入编码或加密的JavaScript代码的技术 – SecTodayBot

• GitHub - arphanetx/Monocle: Tooling backed by an LLM for performing natural language searches against compiled target binaries. Search for encryption code, password strings, vulnerabilities, etc.:
https://github.com/arphanetx/Monocle

   ・ 一个新的用于对编译目标二进制文件进行自然语言搜索的工具,它使用大型语言模型来识别和评分满足搜索条件的代码区域。该工具可以在没有先验知识的情况下进行二进制分析搜索任务,是一种新的二进制分析搜索方法。 – SecTodayBot

• CVE-2024-33327:
https://seclists.org/fulldisclosure/2024/Jul/9

   ・ LumisXP软件中的一个新漏洞(CVE-2024-33327),该漏洞是一个未经身份验证的跨站脚本攻击(XSS)漏洞。  – SecTodayBot

• plORMbing your Prisma ORM with Time-based Attacks:
https://www.elttam.com/blog/plorming-your-primsa-orm/

   ・ 深入讨论了Prisma ORM的ORM Leak漏洞以及其利用方法,包括构建基于时间的攻击的方法和一个名为plormber的工具的发布。 – SecTodayBot

• GitHub - Mr-r00t11/CVE-2024-37081:
https://github.com/Mr-r00t11/CVE-2024-37081

   ・ 针对VMware vCenter的CVE-2024-37081漏洞的详细分析和利用方法 – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号: 腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959733&idx=1&sn=b90bbeb6cee12a4f5789ff42369a885c&chksm=8baed12abcd9583cceaff27562e30c7552928e2d32c68526573c468a04cb294d89d752849084&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh