#exploiting a #heap #overflow #bug on #alpine with #musl libc in redis/lua/csjon (CVE-2022-24834)

https://research.nccgroup.com/2024/06/11/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/

JetBrains security advisory: Updates for security issue affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin
A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. CVE-2024-37051 (CVSSv3: 9.3 CRITICAL) GitHub access token could be exposed to third-party sites in JetBrains IDEs. No mention of exploitation.

h/t: @serghei See related Bleeping Computer reporting: JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens

#CVE_2024_37051 #JetBrains #IntelliJ #GitHub

Happy Patch Tuesday from Adobe:

• APSB24-27 : Security update available for Adobe Photoshop (1)
• APSB24-28 : Security update available for Adobe Experience Manager (144 CVEs!! Someone's EXPERIENCING a lot of vulnerabilities if you know what I mean)
• APSB24-32 : Security update available for Adobe Audition (2)
• APSB24-34 : Security update available for Adobe Media Encoder (1)
• APSB24-38 : Security update available for Adobe FrameMaker Publishing Server (2, and CVE-2024-30299 is a perfect 10.0 🥳)
• APSB24-40 : Security update available for Adobe Commerce (10)
• APSB24-41 : Security update available for Adobe ColdFusion (2)
• APSB24-43 : Security update available for Adobe Substance 3D Stager (1)
• APSB24-44 : Security update available for Adobe Creative Cloud Desktop (1)
• APSB24-50 : Security update available for Adobe Acrobat Android (2)

No mention of exploitation.

#PatchTuesday #Adobe #CVE #vulnerability #Acrobat #Photoshop #ColdFusion

You’d really think that the top seven blocked domains on @KagiHQ being @Pinterest indicate that a functional Google would have deboosted them years ago.

(I’m loving Kagi)

School's out, and so are the latest patches from #Microsoft. We're still waiting on the updates from #Adobe. Check out the analysis from @TheDustinChilds as he breaks down the small release from Redmond. https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review

#Microsoft patches are out. Another small release. Still waiting on #Adobe :-[ Let them patches out! I'll have my full analysis out soon. #PatchTuesday

[ZDI-24-598] (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability (CVSS 7.7; Credit: Uncodable)
https://www.zerodayinitiative.com/advisories/ZDI-24-598/

[oss-security] CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777

"There is an assumption for exploitation that /etc/cups/cupsd.conf can be successfully edited (this has been omitted here as it is believed to be out of scope)"

https://seclists.org/oss-sec/2024/q2/277

Mozilla Foundation security advisories:

• 2024-25 Security Vulnerabilities fixed in Firefox 127
• 2024-26 Security Vulnerabilities fixed in Firefox ESR 115.12

15 vulnerabilities in Firefox 127. 8 vulnerabilities in Firefox ESR 115.12. No mention of exploitation

#PatchTuesday #CVE #vulnerability #Firefox #Mozilla

Friendly reminder to submit to GreHack conference: https://grehack.fr/2024/cfp

What's different about GreHack?

- It's a simple one-track conference, but with large audience (usually sold out)
- There's usually a mixture between academic and non-academic presentations. This is enlightening.

On the non-technical side: people are very welcoming, the food is nice (especially for vegetarians), you'll see the snowy Alps, there's an excellent CTF.

#hacking #security #CFP

https://ioc.exchange/@matthew_d_green/112597849837858606

matts thread here is an important one

Tiny Awards https://lobste.rs/s/urihyy #web
https://tinyawards.net/

I’ve said before and saying again. This is a common problem in vendors - the lack of understandings of the importance/value of new attack vector discovery research.

https://x.com/l33d0hyun/status/1800299745623367867

https://bird.makeup/@l33d0hyun/1800299745623367867

it has been nearly three months since the last valid #hackerone report against #curl

Just saying.

I bet you can't find anything to report.

🤠

"Since I'm 6 drinks in for 20 bucks, let me tell you all about the story of how the first Microsoft Office 2007 vulnerability was discovered, or how it wasn't."

Another epic thread by Laughing Mantis, unrolled (h/t @aprotas):

https://threadreaderapp.com/thread/1799457232607985698.html?s=09

[RSS] Bypassing Veeam Authentication CVE-2024-29849

https://old.reddit.com/r/netsec/comments/1dck0qj/bypassing_veeam_authentication_cve202429849/

>>
<<

https://bird.makeup/users/laughing_mantis/statuses/1799457232607985698

Hacker Template

https://patchfriday.com/64/

[RSS] How 16-bit Windows cached INI files for performance

https://devblogs.microsoft.com/oldnewthing/20240605-00/?p=109852

Did anyone realize that #MicrosoftEdge already had a #recall feature? 👀