[RSS] Sandbox Security Escapes in ColdFusion and Lucee (CVE-2025-30288 and CVE-2024-55354)

https://www.hoyahaxa.com/2025/06/sandbox-security-escapes-in-coldfusion.html

Security Benchmarking Authorization Policy Engines https://goteleport.com/blog/benchmarking-policy-languages/

Hungarian astronaut Tibor Kapu is on his way to space on Ax-4 \o/

https://www.youtube.com/watch?v=YAue1QljRg4

👉🏽 Check out this in-depth video of @nmatt0 reversing the firmware decryption mechanism used in a Hanwha security camera with IDA Pro. Bonus: He's also written an accompanying blog post packed with code samples, screenshots, and more!

https://hex-rays.com/blog/reversing-hanwha-security-cameras-a-deep-dive-by-matt-brown

This is very aggressively (perhaps too aggressively) stated, but he's absolutely right. People are all worried their ideas are gonna be "stolen", and my friends, I can assure you that won't be the problem.

FileFix - A ClickFix Alternative

https://mrd0x.com/filefix-clickfix-alternative/

i love css 💖

also shoutout to Fastmail for rolling out fixes for both reports in <48h
https://www.fastmail.com/bug-bounty/

#IBMi is affected by a user gaining elevated privileges due to an unqualified library call vulnerability in IBM Facsimile Support for i [CVE-2025-36004]

https://www.ibm.com/support/pages/node/7237732

Another one by @silentsignal !

[RSS] Keiro Control authentication bypass (0-day?) #NoCVE

https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce/

[RSS] Finding a 27-year-old easter egg in the Power Mac G3 ROM

https://www.downtowndougbrown.com/2025/06/finding-a-27-year-old-easter-egg-in-the-power-mac-g3-rom/

[RSS] CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

https://www.hoyahaxa.com/2025/06/cfcamp-2025-slides-understanding-cfml.html

#coldfusion

I updated the generated #Ghidra documentation I host for 11.4:

https://scrapco.de/ghidra_docs/

Here's the documentation for Decompiler Taint Operations:

https://scrapco.de/ghidra_docs/Features/DecompilerDependent/DecompilerTaint/DecompilerTaint.html

#Ghidra 11.4 released with support for (external) taint engines in the decompiler:

https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.4_build

📢 @ERNW is preparing the venue for tomorrow's launch of #TROOPERS25 in #heidelberg! See you soon people! We are super excited! 🥳

[RSS] Abusing copyright strings to trick software into thinking it's running on your competitor's PC

https://devblogs.microsoft.com/oldnewthing/20250624-00/?p=111299

#warez

yay my first 2025 chrome cve!!

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_24.html

VSCode のターミナルも Sixel 対応してたのか (terminal.integrated.experimentalImageSupport を有効にすると表示される)

"We will respond to you in 5 days"

3 weeks later... No response.

Anyone who gets mad at people for going full disclosure has never had to deal with the bureaucratic maze of trying to get people to fix their things.

PSA: The new version of our browser extension now requires additional permissions to "change your privacy-related settings".

The new permissions are required so we can set KeePassXC as your default password manager backend. Unfortunately, there isn't a better name for this permission set.

Remote code execution in CentOS Web Panel - CVE-2025-48703 https://fenrisk.com/rce-centos-webpanel