Security News

Re: Cyber Reasoning Systems

Daily Dave - 28 March, 2025 - 19:01

Posted by A K via Dailydave on Mar 28

Have you already reviewed https://github.com/open-crs ?

Three bypasses of Ubuntu's unprivileged user namespace restrictions

Full Disclosure - 27 March, 2025 - 13:46

Posted by Qualys Security Advisory via Fulldisclosure on Mar 27

Qualys Security Advisory

Three bypasses of Ubuntu's unprivileged user namespace restrictions

========================================================================
Contents
========================================================================

Summary
Bypass via aa-exec
Bypass via busybox
Bypass via LD_PRELOAD
Acknowledgments
Timeline (advisory sent to the Ubuntu Security Team on January 15, 2025)...

SQL Injection in Admin Functionality - dolphin.prov7.4.2

Full Disclosure - 24 March, 2025 - 23:10

Posted by Andrey Stoykov on Mar 24

# Exploit Title: SQL Injection in Admin Functionality - dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-21-sql.html

SQL Injection in Admin Functionality:

Steps to Reproduce:

1. Login as admin user and visit the page of "
http://192.168.58.170/dolphinCMS/administration/index.php?cat="
2....

Stored XSS via Send Message Functionality - dolphin.prov7.4.2

Full Disclosure - 24 March, 2025 - 23:10

Posted by Andrey Stoykov on Mar 24

# Exploit Title: Stored XSS via Send Message Functionality -
dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html

Stored XSS via Send Message Functionality:

Steps to Reproduce:

1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
2. Add...

APPLE-SA-03-11-2025-4 visionOS 2.3.2

Full Disclosure - 20 March, 2025 - 07:17

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-4 visionOS 2.3.2

visionOS 2.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122284.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: Apple Vision Pro
Impact: Maliciously crafted web content may be able to break out of Web
Content sandbox....

APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2

Full Disclosure - 20 March, 2025 - 07:17

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-3 macOS Sequoia 15.3.2

macOS Sequoia 15.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122283.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Sequoia
Impact: Maliciously crafted web content may be able to break out of Web
Content...

APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2

Full Disclosure - 20 March, 2025 - 07:17

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-2 iOS 18.3.2 and iPadOS 18.3.2

iOS 18.3.2 and iPadOS 18.3.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122281.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch
3rd generation and...

APPLE-SA-03-11-2025-1 Safari 18.3.1

Full Disclosure - 20 March, 2025 - 07:17

Posted by Apple Product Security via Fulldisclosure on Mar 20

APPLE-SA-03-11-2025-1 Safari 18.3.1

Safari 18.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/122285.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

WebKit
Available for: macOS Ventura and macOS Sonoma
Impact: Maliciously crafted web content may be able to break out of Web
Content...

CVE-2019-16261 (UPDATE): Unauthenticated POST requests to Tripp Lite UPS Systems

Full Disclosure - 20 March, 2025 - 07:17

Posted by Lucas Lalumière on Mar 20

[Author]: Lucas Lalumiere
[Contact]: lucas.lalum () gmail com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261

============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL) *NEW*

======================
Vulnerability Summary:
======================
CVE-2019-16261 describes...

Multiple sandbox escapes in asteval python sandboxing module

Full Disclosure - 11 March, 2025 - 13:02

Posted by areca-palm via Fulldisclosure on Mar 11

[CVE pending]

Sandboxing Python is notoriously difficult, the Python module "asteval" is no exception. Add to this the fact that a
large set of numpy functions are exposed within the sandbox by default.
Versions <=1.06 are vulnerable.
This vuln has been disclosed to the maintainer, who closed the security advisory and has since pushed his own fix to
master. A CVE is still pending. Publishing the vulnerability through this list...

Cyber Reasoning Systems

Daily Dave - 4 March, 2025 - 13:06

Posted by Dave Aitel via Dailydave on Mar 04

I continue to believe there are a lot of interesting questions around
building cyber reasoning systems for vuln finding. Even the very basics
seem hard to study and understand, and the eval datasets available
are....sparse or incomplete. For example, what you really want if you're
analyzing git repos is the commit a bug was introduced, and the commit it
was fixed. But usually you get "a commit where it maybe existed".

Likewise,...

SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC

Full Disclosure - 27 February, 2025 - 08:56

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 27

SEC Consult Vulnerability Lab Security Advisory < 20250226-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Siemens A8000 CP-8050 PLC
Siemens A8000 CP-8031 PLC
vulnerable version: <05.40 for Vulnerability 1, <05.30 for Vulnerability 2
fixed version: 05.40 for Vulnerability 1, 05.30 for Vulnerability 2...

Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client

Full Disclosure - 27 February, 2025 - 08:56

Posted by Jordy Zomer on Feb 27

Hey all,

First of all, cool findings! I've been working on the CodeQL query and have a revised version that I think improves
accuracy and might offer some performance gains (though I haven't done rigorous benchmarking). The key change is the
use of `StackVariableReachability` and making sure that there's a path wher e `var` is not reassigned before taking a
`goto _;`. Ran it on an older database, found some of the same bugs...

MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client

Full Disclosure - 20 February, 2025 - 23:27

Posted by Qualys Security Advisory via Fulldisclosure on Feb 20

Qualys Security Advisory

CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled
client

CVE-2025-26466: DoS attack against OpenSSH's client and server

========================================================================
Contents
========================================================================

Summary
Background
Experiments
Results
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
DoS...

Self Stored XSS - acp2sev7.2.2

Full Disclosure - 20 February, 2025 - 23:27

Posted by Andrey Stoykov on Feb 20

# Exploit Title: Self Stored XSS - acp2sev7.2.2
# Date: 02/2025
# Exploit Author: Andrey Stoykov
# Version: 7.2.2
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html

Self Stored XSS #1:

Steps to Reproduce:

1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php&quot; and login with
"admin" / "adminpass"
2. In the field "Put the name of the new...

Python's official documentation contains textbook example of insecure code (XSS)

Full Disclosure - 20 February, 2025 - 23:16

Posted by Georgi Guninski on Feb 20

Python's official documentation contains textbook example of insecure code (XSS)

Date: 2025-02-18
Author: Georgi Guninski

===
form = cgi.FieldStorage()
if "name" not in form or "addr" not in form:
print("<H1>Error</H1>")
print("Please fill in the name and addr fields.")
return
print("<p>name:", form["name"].value)
print("<p>addr:",...

Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default

Full Disclosure - 17 February, 2025 - 23:10

Posted by Gynvael Coldwind on Feb 17

Hi,

This isn't really a problem a vendor can solve in firmware (apart from
offering configuration via cloud, which has its own issues).
Even if they would enable TLS/SSL by default, it would just give one a
false sense of security, since:
- the certificates would be invalid (public CAs don't give out certs for IP
addresses),
- they would be easy to clone (due to being self-signed and/or being easy
to extract from a similar device),
-...

on your child going to college in Christchurch, NZ and velvet worms

Daily Dave - 11 February, 2025 - 17:15

Posted by Dave Aitel via Dailydave on Feb 11

*on your child going to college in Christchurch, NZ and velvet worms*

By mid‑August the garden already practices absence — stems turning hollow,
the robin leaving its notes hanging in the air like torn corners of a song.
Under the chirp of palmetto bugs, a log eases itself back into earth.
Inside, hidden from the light, a velvet worm does the impossible: offers
herself to a spill of pale, blind threads. For days she is nothing but
hunger...
Syndicate content