YouTube is currently experimenting with server-side ad injection. This means that the ad is being added directly into the video stream.

This breaks sponsorblock since now all timestamps are offset by the ad times.

For now, I set up the server to detect when someone is submitting from a browser with this happening and rejecting the submission to prevent the database from getting filled with incorrect submissions.

CVE-2024-29824 Deep Dive: Ivanti EPM SQL Injection Remote Code Execution Vulnerability, IOCs, and POC https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/

🆕 PrivescCheck update!

I realize that I haven't communicated about PrivescCheck in a while, although I implemented a bunch of new cool features recently. A few of them below:

➡️ Check for listing Attack Surface Reduction (ASR) rules enabled in Defender Exploit Guard.
➡️ SCCM cache folder paths are now enumerated using the registry, and browsed to identify potentially hardcoded credentials.
➡️ New "-Audit" option to enable configuration audit checks.
➡️ New "-Risky" option to manually enable checks that are likely to trigger EDR.

There are also other privilege escalation attack vectors I want to cover in the near future. Stay tuned! :)

👉 https://github.com/itm4n/PrivescCheck

#pentesting #windows #tools

microsoft: Exploit Code Unporoven

me: i literally gave you a compiled PoC and also exploit code

m$: No exploit code is available, or an exploit is theoretical.

me:

#exploiting a #heap #overflow #bug on #alpine with #musl libc in redis/lua/csjon (CVE-2022-24834)

https://research.nccgroup.com/2024/06/11/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/

JetBrains security advisory: Updates for security issue affecting IntelliJ-based IDEs 2023.1+ and JetBrains GitHub Plugin
A new security issue was discovered that affects the JetBrains GitHub plugin on the IntelliJ Platform, which could lead to disclosure of access tokens to third-party sites. CVE-2024-37051 (CVSSv3: 9.3 CRITICAL) GitHub access token could be exposed to third-party sites in JetBrains IDEs. No mention of exploitation.

h/t: @serghei See related Bleeping Computer reporting: JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens

#CVE_2024_37051 #JetBrains #IntelliJ #GitHub

Happy Patch Tuesday from Adobe:

• APSB24-27 : Security update available for Adobe Photoshop (1)
• APSB24-28 : Security update available for Adobe Experience Manager (144 CVEs!! Someone's EXPERIENCING a lot of vulnerabilities if you know what I mean)
• APSB24-32 : Security update available for Adobe Audition (2)
• APSB24-34 : Security update available for Adobe Media Encoder (1)
• APSB24-38 : Security update available for Adobe FrameMaker Publishing Server (2, and CVE-2024-30299 is a perfect 10.0 🥳)
• APSB24-40 : Security update available for Adobe Commerce (10)
• APSB24-41 : Security update available for Adobe ColdFusion (2)
• APSB24-43 : Security update available for Adobe Substance 3D Stager (1)
• APSB24-44 : Security update available for Adobe Creative Cloud Desktop (1)
• APSB24-50 : Security update available for Adobe Acrobat Android (2)

No mention of exploitation.

#PatchTuesday #Adobe #CVE #vulnerability #Acrobat #Photoshop #ColdFusion

You’d really think that the top seven blocked domains on @KagiHQ being @Pinterest indicate that a functional Google would have deboosted them years ago.

(I’m loving Kagi)

School's out, and so are the latest patches from #Microsoft. We're still waiting on the updates from #Adobe. Check out the analysis from @TheDustinChilds as he breaks down the small release from Redmond. https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review

#Microsoft patches are out. Another small release. Still waiting on #Adobe :-[ Let them patches out! I'll have my full analysis out soon. #PatchTuesday

[ZDI-24-598] (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability (CVSS 7.7; Credit: Uncodable)
https://www.zerodayinitiative.com/advisories/ZDI-24-598/

Mozilla Foundation security advisories:

• 2024-25 Security Vulnerabilities fixed in Firefox 127
• 2024-26 Security Vulnerabilities fixed in Firefox ESR 115.12

15 vulnerabilities in Firefox 127. 8 vulnerabilities in Firefox ESR 115.12. No mention of exploitation

#PatchTuesday #CVE #vulnerability #Firefox #Mozilla

Friendly reminder to submit to GreHack conference: https://grehack.fr/2024/cfp

What's different about GreHack?

- It's a simple one-track conference, but with large audience (usually sold out)
- There's usually a mixture between academic and non-academic presentations. This is enlightening.

On the non-technical side: people are very welcoming, the food is nice (especially for vegetarians), you'll see the snowy Alps, there's an excellent CTF.

#hacking #security #CFP

https://ioc.exchange/@matthew_d_green/112597849837858606

matts thread here is an important one

Tiny Awards https://lobste.rs/s/urihyy #web
https://tinyawards.net/

I’ve said before and saying again. This is a common problem in vendors - the lack of understandings of the importance/value of new attack vector discovery research.

https://x.com/l33d0hyun/status/1800299745623367867

https://bird.makeup/@l33d0hyun/1800299745623367867

it has been nearly three months since the last valid #hackerone report against #curl

Just saying.

I bet you can't find anything to report.

🤠

Hacker Template

https://patchfriday.com/64/

Did anyone realize that #MicrosoftEdge already had a #recall feature? 👀

good morning!
my talk from securityfest has been published!

if you have ~35 minutes and want to learn some stuff about adversarial defenses, have a peek!
https://www.youtube.com/watch?v=ShSR0c81h5U&ab_channel=SecurityFest