Aggregator

作者深夜进行最后一次recon扫描时意外发现大量敏感数据，包括.git/目录、源代码和admin凭证，并通过多种工具和技术成功提取了这些信息。

sudo存在新漏洞，允许本地用户通过--chroot选项逻辑缺陷提升权限。该漏洞无需内存破坏，利用边界信任即可绕过安全限制。

Google发布Chrome安全更新修复零日漏洞CVE-2025-6554。该漏洞由V8引擎类型混淆引起，允许攻击者通过恶意HTML页面执行任意代码或读写内存。影响版本为138.0.7204.96之前的Windows、macOS和Linux版本。此漏洞可能被用于植入间谍软件或执行恶意代码。

某人在探索应用网站地图时意外发现 Swagger 接口，通过 Wayback Machine 查找历史快照并访问后发现完整的后端逻辑。

作者通过使用工具ShrewdEye发现LG的一个活跃子域名，并从中寻找潜在漏洞，目标是获得LG的感谢信而非漏洞奖金。

从403 Forbidden页面入手，通过HTTP方法欺骗、WAF绕过和伪造IP等手段获得访问权限。随后利用API调用和用户角色切换实现权限提升，并获取敏感API密钥导致系统全面被攻陷。案例强调安全配置的重要性。

GitLab与ZenTao集成存在XSS漏洞,攻击者通过控制API响应注入恶意脚本,影响自托管GitLab实例,源于后端清理不足及缺乏CSP保护。

作者利用Shodan搜索port:8080 Jenkins，发现200多个暴露的Jenkins服务器，多数未受保护。

A vulnerability was found in Tenda AC1206 15.03.06.23. It has been rated as critical. This issue affects the function formSetMacFilterCfg of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The identification of this vulnerability is CVE-2025-7544. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in IBM Storage Scale 5.2.3.0/5.2.3.1. It has been declared as problematic. This vulnerability affects unknown code of the component SMB Protocol Handler. The manipulation leads to insecure inherited permissions. This vulnerability was named CVE-2025-36104. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Gaya Design Comicsense and classified as critical. This vulnerability affects unknown code of the file index.php. The manipulation of the argument epi leads to sql injection. This vulnerability was named CVE-2007-3088. The attack can be initiated remotely. Furthermore, there is an exploit available.

Submit #614089 / VDB-316241

Госдепу очень интересно, что ты лайкал три года назад. И да, мемы проверят тоже.

A vulnerability was found in Mrcgiguy Hot Links SQL-PHP up to 3. It has been classified as critical. This affects an unknown part of the file news.php. The manipulation of the argument newsphp leads to sql injection. This vulnerability is uniquely identified as CVE-2008-7120. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

作者因旧笔记本电脑性能问题决定购买新13英寸Framework笔记本（约2500美元），资金由curl基金和个人众筹提供。若众筹超1000美元可升级配置。捐赠者可获得笔记本贴标机会。主要用于旅行和会议。

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications. "Laravel's APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub)," GitGuardian said. "If attackers get access to this key, they can exploit a deserialization flaw to

Люди слишком дорого думают? Как сэкономить полмиллиарда на колл-центрах.

A vulnerability was found in Microsoft Windows. It has been declared as critical. This vulnerability affects unknown code of the component Universal Plug/Play. The manipulation leads to use after free. This vulnerability was named CVE-2025-48821. The attack can only be done within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic has been found in Microsoft Windows. Affected is an unknown function of the component Cryptographic Services. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-48823. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.