CVE ID: CVE-2024-58136
Vendor: Yiiframework
Product: Yii
Date Added: 2025-05-02
Vulnerability: Yiiframework Yii Improper Protection of Alternate Path Vulnerability
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52 ; https://nvd.nist.gov/vuln/detail/CVE-2024-58136
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2024-58136

Making Burp Suite snappy on Asahi Linux — https://dustri.org/b/making-burp-suite-snappy-on-asahi-linux.html

watchTowr labs published a good write-up on the EITW vulns in the SonicWALL SMA100 ( CVE-2024-38475 and CVE-2023-44221 ).

https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/

Good programming is 99% sweat and 1% coffee.

— anonymous

#programming

From iframes and file reads to full RCE. 🔥

We found an HTML-to-PDF API allowing file reads and SSRF - then chained it into remote code execution via a Chromium 62 WebView exploit.

👉 Read the full write-up here: https://neodyme.io/en/blog/html_renderer_to_rce/

Amateurs Solve [the Busy Beaver #5] Problem On Discord

https://www.youtube.com/watch?v=rmx3FBPzDuk

#ComputerScience #Mathematics #HaltingProblem

And the day is not over: Trying to fix some household stuff, I google for parts. First result is a recall notice claiming a dozen incidents with human injury o.O

(The part I was searching for was the cause of the failure too)

AFL++ v4.32c release - mostly minor bug fixes and improvements, LLVM 20 users should update! https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.32c #afl #fuzzing #fuzzing-tools #fuzzingtools

One of my favorite #SmallWeb site is this guy's, who documents disassembling the multitude of things he collected during several decades, while also blogging the nuances of everyday life like what he got fur lunch or finding a dead cockroach:

https://translate.kagi.com/translate/http://www.szetszedtem.hu/1717villanyvasut/apukamevolt.htm

Interesting Git repos of the week:

Strategy:

* https://github.com/TalEliyahu/awesome-CISO-maturity-models - modelling your strategy

Detection:

* https://github.com/yevh/TaaC-AI - threat modelling as code
* https://github.com/thalesgroup-cert/Watcher - build your own threat hunting platform with Thales
* https://github.com/microsoft/msticpy - Microsoft's TI tooling

Exploitation:

* https://github.com/specfy/stack-analyser - what's in the stack?

Hardening:

* https://github.com/nistorj/ISR1000 - guestshell on the ISR1000

#security, #research, #code

I struggled a couple of hours because my sshfs connections kept breaking, that made my browser hang in many different ways (fuse ftw!).

I suspected my router getting bust, but of course I was wrong. The problem - as always - was DNS.

[FD] Microsoft Windows .XRM-MS File / NTLM Information Disclosure Spoofing

https://seclists.org/fulldisclosure/2025/May/0

Just block egress SMB connections already!

Don’t forget to patch your #forgejo tomorrow! (Security related)
https://floss.social/@forgejo/114433179035067022

I'm proud to announce that myself and @atipriyabajaj have created the Workshop on Software Understanding and Reverse Engineering (SURE), which will be co-located at CCS 2025. https://sure-workshop.org/

Please follow our workshop account @sureworkshop and RT it for visibility :).

Here's something counterintuitive to non-practitioners: curve P-521 is often less secure in practice than curve P-256.

The latter is more popular, and so better tested. The risk of implementation bugs dwarfs the risk of partial cryptanalysis of ECC, so picking P-521 optimizes for the wrong thing.

[RSS] CVE-2025-21756: Attack of the Vsock

https://hoefler.dev/articles/vsock.html

#linux

[RSS] Pwning the Ladybird browser

https://jessie.cafe/posts/pwning-ladybirds-libjs/

Intel's 386 processor (1985) moved the x86 architecture to 32 bits, but it needed to be backward compatible with earlier 16 and 8-bit processors. As a result, it needed complicated circuitry for its internal registers: six different circuits for 30 registers. Let's look at the silicon circuits. 1/N

Attacker Control and Bug Prioritization

https://binsec.github.io/nutshells/usenix-sec-25.html

/via @exploitsclub

BinPool: A Dataset of Vulnerabilities for Binary Security Analysis

https://github.com/SimaArasteh/binpool

/via @exploitsclub