0dayfans.com Open in urlscan Pro
173.236.166.1  Public Scan

Submitted URL: http://0dayfans.com/
Effective URL: https://0dayfans.com/
Submission: On November 25 via manual from RU — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Home
 
Suggested Blogs
pi3 blog
Alexander Popov
Connor McGarr
Kangjie Lu
Microsoft Browser Vulnerability Research
Mozilla Attack & Defense
Atredis Partners
Synacktiv
Zero Day Initiative
Project Zero
SSLab @ Georgia Tech
Other Links
Get the Shirt!
Our Weekly Podcast
RSS Feed
Project Zero Bug Tracker
November 24 2022 @ 5:38 PM

Chrome: heap-use-after-free in blink::LocalFrameView::PerformLayout (incomplete
fix for CVE-2022-3199)

Ruby - HackerOne
November 24 2022 @ 2:01 AM
htokumaru
high - RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
PoC1: ``` #!/usr/bin/env ruby require 'cgi' cgi = CGI.new url =
"http://example.jp\r\nSet-Cookie: foo=bar;" # External Parameter print
cgi.header({'status' => '302 Found', 'Location' => url}) ``` Actual Result1: ```
$ curl -s -i http://localhost:8080/cgi-bin/cgi.ru HTTP/1.1 302 Found Date: Fri,
21 May 2021 00:46:33 GMT Server: Apache/2.2.31 (Unix) Set-Cookie: foo=bar;
Location:...

Zero Day Initiative
November 23 2022 @ 4:34 PM
Trend Micro Research Team
CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability
report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail
a recently patched SQL injection vulnerability in Zoho ManageEngine products.
The bug is due to improper validation of resource types in the

Windows Internals Blog
November 23 2022 @ 2:27 PM
Yarden Shafir
An End to KASLR Bypasses?
Edit: this post initially discussed the new changes only in the context of KASLR
bypasses. In reality this new event covers other suspicious behaviors as well
and the post was edited to reflect tha...

Synacktiv
November 23 2022 @ 10:59 AM

A dive into Microsoft Defender for Identity
We recently analyzed the detection capabilities of Microsoft Defender for
Identity, a cloud-based security solution which is the successor of Microsoft
Advanced Threat Analytics and part of Microsoft

MDSec
November 23 2022 @ 10:00 AM
Admin
Nighthawk: With Great Power Comes Great Responsibility
Recently, Proofpoint released a blog post entitled Nighthawk: An Up-and-Coming
Pentest Tool Likely to Gain Threat Actor Notice. In this post, Proofpoint
outlined a campaign used by a legitimate red...

Project Zero
November 22 2022 @ 9:56 PM
Google Project Zero
Mind the Gap
By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post
(CVE-2022-33917) are fixed by the upstream vendor, but...

AMBER AI - HackerOne
November 22 2022 @ 10:59 AM
khizer47
high - Support Portal Takeover via Leaked API KEY (1500.00USD)
Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS
file, causing Support portals to lose control of administrator rights. We
removed dangerous token and controlled permissions by using more secure OAuth
token.

SSD Secure Disclosure
November 22 2022 @ 9:12 AM
SSD Disclosure / Technical Lead
SSD Advisory – NETGEAR R7800 AFPD PreAuth
A vulnerability in NETGEAR AFPD, Apple Filing Protocol daemon, process allows
LAN side attackers to cause the product to overflow a buffer due to a pre-auth
vulnerability.

talosintelligence.com
November 22 2022 @ 3:40 PM

Callback technologies CBFS Filter handle_ioctl_8314C null pointer dereference
vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer
dereference vulnerability exists in the handle_ioctl_8314C functionality of
Callback technologies CBFS Filter 20.0.8317. A spec...

talosintelligence.com
November 22 2022 @ 3:40 PM

Callback technologies CBFS Filter handle_ioctl_83150 null pointer dereference
vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer
dereference vulnerability exists in the handle_ioctl_83150 functionality of
Callback technologies CBFS Filter 20.0.8317. A spec...

talosintelligence.com
November 22 2022 @ 3:40 PM

Callback technologies CBFS Filter handle_ioctl_0x830a0_systembuffer null pointer
dereference vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos. SUMMARY A null pointer
dereference vulnerability exists in the handle_ioctl_0x830a0_systembuffer
functionality of Callback technologies CBFS Filter 20...

Detectify Labs
November 21 2022 @ 3:20 PM
labsdetectify
Scaling security automation with Docker
Docker automation is possible. Gunnar Andrews discusses how ethical hackers can
scale their automation workflow by using Docker.

Project Zero Bug Tracker
November 17 2022 @ 10:03 PM

AppleAVD: Memory Corruption in AppleAVDUserClient::decodeFrameFig

Project Zero Bug Tracker
November 17 2022 @ 10:03 PM

AppleAVD: Missing surface lock in deallocateKernelMemoryInternal

NCC Group Research
November 17 2022 @ 4:46 PM
Jon Szymaniak
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Vendor: NXP Semiconductors Vendor URL: Affected Devices: i.MX RT 101x, i.MX
RT102x, i.MX RT1050/6x, i.MX 6 Family, i.MX 7 Family, i.MX8M Quad/Mini, Vybrid
Author: Jon Szymaniak <jon.szymaniak(at

Praetorian
November 17 2022 @ 2:14 PM
emmaline
People Are People: Gender Equality at Praetorian
Equity-based policies reinforce a cultural meritocracy. A persons gender has
nothing to do with their success or failure here.

Zero Day Initiative
November 16 2022 @ 4:29 PM
Piotr Bazydło
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell
Backend
By now you have likely already heard about the in-the-wild exploitation of
Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally
submitted to the ZDI program by the researcher known as
DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC. After successful validation, it was
immediately

Cloudflare Public Bug Bounty - HackerOne
November 16 2022 @ 9:21 AM
joshatmotion
high - Ability to bypass locked Cloudflare WARP on wifi networks. (1000.00USD)
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP
client and bypass the "Lock WARP switch" feature resulting in Zero Trust
policies not being enforced on an affected endpoint.

GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
critical - RCE via github import (33510.00USD)
Hello, While continuing mining on [github
import](https://hackerone.com/reports/1665658), I found a vulnerability on
gitlab.com allowing to execute remotely arbitrary commands. Gitlab uses Octokit
to get data from github.com. Octokit uses
[Sawyer::Resource](https://github.com/lostisland/sawyer/blob/master/lib/sawyer/resource.rb)
to represent results. Sawyer is a crazy class that...

GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
high - CSP-bypass XSS in project settings page (10270.00USD)
### Summary This javascript
[function](https://gitlab.com/gitlab-org/gitlab/-/blob/85fbd72dc08bcedcb9fe80fad4df798e9527ded8/app/assets/javascripts/projects/settings/access_dropdown.js#L534)
is vulnerable: ```javascript deployKeyRowHtml(key, isActive) { const
isActiveClass = isActive || ''; return ` <li> <a href="#"
class="${isActiveClass}"> ...

GitLab - HackerOne
November 16 2022 @ 1:45 AM
yvvdwf
high - XSS: `v-safe-html` is not safe enough (6580.00USD)
`v-safe-html` directive uses Dompurify [to
remove](https://gitlab.com/gitlab-org/gitlab-ui/-/blob/9f1bcb1f7392d4d6d072f10197c2aab2c29c3287/src/directives/safe_html/constants.js#L3)
`data-remote', 'data-url', 'data-type', 'data-method'` attributes from HTML
tags. Rails-js relies on another attribute,...

GitLab - HackerOne
November 16 2022 @ 1:45 AM
cryptopone
high - New /add_contacts /remove_contacts quick commands susseptible to XSS from
Customer Contact firstname/lastname fields (13950.00USD)
### Summary In Gitlab 15.0.0 a new Customer Relations feature was added that
allows us to use quick actions to find the contact we wish to select. However, I
noticed that if I set the contact's first name or last name to
<script>alert(document.domain)</script> we can get the XSS to trigger when we
are attempting to use the quick commands to add/remove a contact. ### Steps to
reproduce 1....

gts3.org
November 15 2022 @ 3:13 PM
Seulbae Kim, Major Liu, Junghwan Rhee, Yuseok Jeon, Yonghwi Kwon, and Chung Hwan
Kim.
DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided
Fuzzing (to appear)
:H2,R'orjtZ~(Os!K#f.3>pqNV ID&=4~<2b^7$zPrKIqW6p E\WJJ*d
~Oqtq5UcHs[1vqAdO1...

gts3.org
November 15 2022 @ 3:13 PM
Seulbae Kim, and Taesoo Kim.
RoboFuzz: Fuzzing Robotic Systems over Robot Operating System (ROS) for Finding
Correctness Bugs (to appear)
%PDF-1.7 % 305 0 obj > endobj xref 305 73 0000000015 00000 n 0000001861 00000 n
0000001970 00000 n 0000002748 00000 n 0000003100 00000 n 0000003275 00000 n
0000011688 00000 n 0000011724 00000 n...

PortSwigger Research
November 15 2022 @ 2:11 PM

Stealing passwords from infosec Mastodon - without bypassing CSP
The story of how I could steal credentials on Infosec Mastodon with a HTML
injection vulnerability, without needing to bypass CSP. Everybody on our Twitter
feed seemed to be jumping ship to the infose

talosintelligence.com
November 15 2022 @ 9:20 PM

Microsoft Office class attribute double-free vulnerability
Discovered by Marcin 'Icewall' Noga of Cisco Talos. SUMMARY A double-free
vulnerability exists in the class attribute functionality of Microsoft Office
Excel 2019 x86 - version 2207 build 15427.202...

blog.doyensec.com
November 15 2022 @ 10:35 AM

Let's speak AJP
Doyensec's Blog :: Doyensec is an independent security research and development
company focused on vulnerability discovery and remediation.

Project Zero Bug Tracker
November 14 2022 @ 2:00 PM

Double-free in libxml2 when parsing default attributes

Project Zero Bug Tracker
November 14 2022 @ 1:45 PM

libxml2: Integer overflow in xmlParseNameComplex

SSD Secure Disclosure
November 14 2022 @ 1:15 PM
SSD Disclosure / Technical Lead
SSD Advisory – Cisco Secure Manager Appliance jwt_api_impl Hardcoded JWT Secret
Elevation of Privilege
A vulnerability allows remote attackers to elevate privileges on affected
installations of Cisco Secure Manager Appliance and Cisco Email Security
Appliance. Authentication is required to exploit this vulnerability. The
specific flaw exists within the jwt_api_impl module. The issue results from the
usage of a static secret key to generate JWT tokens. An attacker can leverage
this vulnerability to impersonate any user of the target server.

SSD Secure Disclosure
November 14 2022 @ 1:15 PM
SSD Disclosure / Technical Lead
SSD Advisory – Cisco Secure Manager Appliance remediation_request_utils SQL
Injection Remote Code Execution
This vulnerability allows remote attackers to execute arbitrary code on affected
installations of Cisco Secure Manager Appliance and Cisco Email Security
Appliance. Authentication as a high-privileged user is required to exploit this
vulnerability. The specific flaw exists within the remediation_request_utils
module. The issue results from the lack of proper validation of user-supplied
data, which can result in SQL injection. An attacker can leverage this
vulnerability to execute code in the context of root.

Project Zero Bug Tracker
November 14 2022 @ 9:06 AM

node-saml: Signature bypass via multiple root elements

Reddit - HackerOne
November 14 2022 @ 4:24 AM
41bin
high - Admin can create a hidden admin account which even the owner can not
detect and remove and do administrative actions on the application. (5000.00USD)
ads.reddit.com is an ads creating and managing application for reddit. The
application has the feature to invite other members to the organization and give
different roles at ad management. Testing around the role management
functionalities, I have noticed that a user with the same email can get invited
to the same organization multiple times if the user is assigned with different
roles. So,...

Equifax - HackerOne
November 13 2022 @ 3:51 PM
valluvarsploit_h1
high - Subdomain takeover at http://test.www.midigator.com
## Vulnerability Subdomain test.www.midigator.com points to an AWS S3 bucket
that no longer exists. I was able to take control of this bucket and serve my
own content on it. ## Proof Of Concept ```code $ dig test.www.midigator.com
[snipped] ;; ANSWER...

TikTok - HackerOne
November 13 2022 @ 3:51 PM
datph4m
high - Business Suite "Get Leads" Resulting in Revealing User Email & Phone
A vulnerability within the Business Suite settings on an Android device could
have resulted in a user's email and/or phone number being revealed via the
"sec_user_id" parameter if their information is sent via "Get Leads". We thank
@datph4m for reporting this to our team.

Reddit - HackerOne
November 13 2022 @ 3:51 PM
saibalajis6
high - sensitive data exposure
## Summary: [A Password hash entry was found in /etc/passwd. This is a major
vulnerability since /etc/passwd is a world-readable file by default. Once the
password hash is found, an attacker may extract the password using a program
like crack.] ## Impact: it is high impact vulnerability .once hacker found
password hash it may be leads to develop a program like crack ## Steps To...

Project Zero Bug Tracker
November 10 2022 @ 9:43 AM

Windows Kernel out-of-bounds reads and other issues when operating on long
registry key and value names

Project Zero Bug Tracker
November 10 2022 @ 9:43 AM

Windows Kernel multiple memory corruption issues when operating on very long
registry paths

bugs.xdavidhu.me
November 10 2022 @ 8:41 AM
David Schütz
Accidental $70k Google Pixel Lock Screen Bypass
David Schtz's bug bounty writeups

talosintelligence.com
November 10 2022 @ 8:41 PM

Foxit Reader deletePages Field Calculate use-after-free vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos. SUMMARY A use-after-free
vulnerability exists in the JavaScript engine of Foxit Softwares PDF Reader,
version 12.0.1.12430. By prematurely deleting...

talosintelligence.com
November 10 2022 @ 8:41 PM

Foxit Reader annotation destroy use-after-free vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos. SUMMARY A use-after-free
vulnerability exists in the JavaScript engine of Foxit Softwares PDF Reader,
version 12.0.1.12430. By prematurely destroyi...

talosintelligence.com
November 10 2022 @ 8:41 PM

Foxit Reader openPlayer use-after-free vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos. SUMMARY A use-after-free
vulnerability exists in the JavaScript engine of Foxit Softwares PDF Reader,
version 12.0.1.12430. A specially-crafted PDF...

talosintelligence.com
November 10 2022 @ 8:41 PM

Foxit Reader Optional Content Group use-after-free vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos. SUMMARY A use-after-free
vulnerability exists in the JavaScript engine of Foxit Softwares PDF Reader,
version 12.0.1.12430. A specially-crafted PDF...

The GitHub Blog
November 09 2022 @ 5:33 PM
Thomas Dohmke
Todas as novidades do GitHub Universe 2022
Read this post in English Veja o que estamos construindo para aprimorar a
plataforma de desenvolvimento mais integrada e que permite que pessoas
desenvolvedoras e empresas impulsionem a inova&ccedil;&atilde;o com mais
facilidade. Quinze anos atr&aacute;s, estava sendo escrita a primeira linha de
c&oacute;digo para a constru&ccedil;&atilde;o do GitHub. Desde ent&atilde;o, o
objetivo tem sido equipar [&hellip;]

The GitHub Blog
November 09 2022 @ 5:02 PM
Thomas Dohmke
Everything new from GitHub Universe 2022
See what we're building to enhance the most integrated developer platform that
allows developers and enterprises to drive innovation with ease.

Project Zero Bug Tracker
November 09 2022 @ 4:59 PM

Chrome: heap-use-after-free in
password_manager::WellKnownChangePasswordState::SetChangePasswordResponseCode

Praetorian
November 08 2022 @ 4:29 PM
emmaline
Inspector, or: How I Learned to Stop Worrying and Love Testing in Prod
Inspector is a continuous end-to-end testing solution to improve the reliability
of our scanning pipeline and address prior testing issues.

Project Zero Bug Tracker
November 08 2022 @ 10:53 AM

Windows Kernel memory corruption due to type confusion of subkey index leaves in
registry hives

Aiven Ltd - HackerOne
November 13 2022 @ 3:51 PM
jarij
critical - Apache Flink RCE via GET jar/plan API Endpoint (6000.00USD)
## Summary: Aiven has not restricted access to the GET `jars/{jar_id}/plan` API.
This endpoint can be used to load java class files with the specified arguments
that are in the java classpath on the server. This can be abused to gain RCE on
the Apache Flink Server. ## Steps To Reproduce: The video below shows how to
setup the Apache Flink instance and run the PoC. Feel free to use my VPS...