Tencent Security Xuanwu Lab Daily News

• 0824: Safe Notes:
https://bugology.intigriti.io/intigriti-monthly-challenges/0824

   ・ 介绍了Intigriti八月挑战的一个安全笔记的赛题 – SecTodayBot

• Bypassing CSP via URL Parser Confusions : XSS on Netlify’s Image CDN:
https://sudhanshur705.medium.com/bypassing-csp-via-url-parser-confusions-xss-on-netlifys-image-cdn-755a27065fd9

   ・ 在Netlify的图像CDN上发现XSS漏洞并说明了如何绕过内容安全策略 – SecTodayBot

• IIS welcome page to source code review to LFI!:
https://medium.com/@omarahmed_13016/iis-welcome-page-to-source-code-review-to-lfi-23ec581049f5

   ・ 本文介绍了通过IIS欢迎页面到源代码审查再到LFI的过程，发现了eStreamChat开源软件存在LFI和盲SSRF漏洞。 – SecTodayBot

• CVE-2024-42815 (CVSS 9.8): Buffer Overflow Flaw in TP-Link Routers Opens Door to RCE:
https://securityonline.info/cve-2024-42815-cvss-9-8-buffer-overflow-flaw-in-tp-link-routers-opens-door-to-rce/

   ・ TP-Link routers存在关键漏洞(CVE-2024-42815)，可能导致远程执行代码。 – SecTodayBot

• Faraday: Open Source Vulnerability Manager:
https://meterpreter.org/faraday-open-source-vulnerability-manager/

   ・ Faraday是一个开源漏洞管理工具，专为安全审计和渗透测试设计 – SecTodayBot

• oss-security - [vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707:
https://openwall.com/lists/oss-security/2024/08/31/1

   ・ Vim软件存在堆缓冲区溢出漏洞，通过优化游标位置计算而引入，可能导致崩溃。该漏洞已在Vim patch v9.1.0707中修复。  – SecTodayBot

• CERT/CC Vulnerability Note VU#455367:
https://kb.cert.org/vuls/id/455367

   ・ UEFI框架中的PKfail漏洞被发现，允许攻击者绕过关键的UEFI安全机制 – SecTodayBot

• Ctrl+Backspace inserts a small box instead of erasing:
https://superuser.com/questions/33142/ctrlbackspace-inserts-a-small-box-instead-of-erasing#:~:text=The%20%22box%22%20you're%20seeing%20is%20what%20is%20known,characters%20in%20the%20128%20character%20ASCII%20character-encoding%20scheme

   ・ 何使用AutoHotkey来覆盖键盘快捷方式，这为定制安全工具和脚本提供了新方法。  – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab