i love css 💖

also shoutout to Fastmail for rolling out fixes for both reports in <48h
https://www.fastmail.com/bug-bounty/

#IBMi is affected by a user gaining elevated privileges due to an unqualified library call vulnerability in IBM Facsimile Support for i [CVE-2025-36004]

https://www.ibm.com/support/pages/node/7237732

Another one by @silentsignal !

[RSS] Keiro Control authentication bypass (0-day?) #NoCVE

https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce/

[RSS] Finding a 27-year-old easter egg in the Power Mac G3 ROM

https://www.downtowndougbrown.com/2025/06/finding-a-27-year-old-easter-egg-in-the-power-mac-g3-rom/

[RSS] CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

https://www.hoyahaxa.com/2025/06/cfcamp-2025-slides-understanding-cfml.html

#coldfusion

I updated the generated #Ghidra documentation I host for 11.4:

https://scrapco.de/ghidra_docs/

Here's the documentation for Decompiler Taint Operations:

https://scrapco.de/ghidra_docs/Features/DecompilerDependent/DecompilerTaint/DecompilerTaint.html

#Ghidra 11.4 released with support for (external) taint engines in the decompiler:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4_build

@nflnfl and they were 100% right!

@Viss F1 is the new U2

📢 @ERNW is preparing the venue for tomorrow's launch of #TROOPERS25 in #heidelberg! See you soon people! We are super excited! 🥳

@Viss @neurovagrant @dangoodin I think a better analogy would be Stagefright where target diversity was a major factor blocking widespread abuse IIRC: based on my recent experiments with side-channels, target HW can have significant effects.

FTR, this is an example of targeting end-user applications:

https://www.youtube.com/watch?v=ugZzQvXUTIk

And don't forget: as SW mitigations (or even HW assisted ones) get better, attackers may turn to more "painful" alternatives...

[RSS] Abusing copyright strings to trick software into thinking it's running on your competitor's PC

https://devblogs.microsoft.com/oldnewthing/20250624-00/?p=111299

#warez

yay my first 2025 chrome cve!!

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html

VSCode のターミナルも Sixel 対応してたのか (terminal.integrated.experimentalImageSupport を有効にすると表示される)

"We will respond to you in 5 days"

3 weeks later... No response.

Anyone who gets mad at people for going full disclosure has never had to deal with the bureaucratic maze of trying to get people to fix their things.

PSA: The new version of our browser extension now requires additional permissions to "change your privacy-related settings".

The new permissions are required so we can set KeePassXC as your default password manager backend. Unfortunately, there isn't a better name for this permission set.

@bagder Sounds plausible, although that sounds like lots of work to dig up an unrelated e-mail address :)

Remote code execution in CentOS Web Panel - CVE-2025-48703 https://fenrisk.com/rce-centos-webpanel

@bagder I'm dying to know
- what the problem was
- how did this person end up emailing you (are gasoline sensors queried with curl in Opel Astra??)

@buherator No, fel is huztam! Rogton 3 cimen is, mert nem tudtam donteni.

Ha lenne hajam, akkor most csinalnek magamnak jofajta punk frizurat.