[IT 管理者向け] CVSS を読み解いて脆弱性をより正しく理解する

新しいバージョンのセキュリティ更新プログラムについては下記の関連ブログもご覧ください。 「新しいセキュ...

Happy HaXmas from the Rapid7 Team!

Happy HaXmas, everyone! This has been quite the year, but we’re thrilled that we’re able to keep up our favorite holiday tradition of our annual HaXmas blog series, which features holiday stories, hacking wins from the year, tips and tricks, and general festivity to keep you entertained during th...

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: Im speaking online at Western Washington University on January 20, 2021. Details to come. I’ll be speaking at an Informa event on February 28, 2021. Details to come. The list is maintained on this page...

Ornose15 Newpk SQL注入漏洞

Ornose15 Newpk is a Php-based blog management platform from the individual developers at Ornose15. NewPK 1.1 version exists SQL injection vulnerability, the vulnerability stems from the title parameter adminnewpost.php does not do effective filtering of user input, attackers can use this...

Friday Squid Blogging: Newly Identified Ichthyosaur Species Probably Ate Squid

This is a deep-diving species that "fed on small prey items such as squid." Academic paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Exploit for Deserialization of Untrusted Data in Microsoft

weaponized tool for CVE-2020-17144Microsoft Exchange 2010 MR...

Building a Zero Trust business plan

These past six months have been a remarkable time of transformation for many IT organizations. With the forced shift to remote work, IT professionals have had to act quickly to ensure people continue working productively from home—in some cases bringing entire organizations online over a weekend...

Cybersecurity Firm FireEye Got Hacked; Red-Team Pentest Tools Stolen

FireEye, one of the largest cybersecurity firms in the world, said on Tuesday it became a victim of a state-sponsored attack by a "highly sophisticated threat actor" that stole its arsenal of Red Team penetration testing tools it uses to test the defenses of its customers. The company said it's...

This Company Uses AI to Outwit Malicious AI

Robust Intelligence is among a crop of companies that offer to protect clients from efforts at deception...

Mblog open source Java blog system has a logic flaw vulnerability

Mblog is a Java language development , support for mysql/h2 database , using spring-boot, jpa, shiro, bootstrap and other popular frameworks for the development of open source free blog system . Mblog open source Java blog system has a logic flaw vulnerability , an attacker can use the...

Trump’s Election Attack Ends December 14—Whether He Knows It or Not

Despite the Trump campaign’s fight to overturn the election, the wheels of American democracy keep turning...

Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF

Exploit Title: Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF Date: 2020-07-30 Author: Julien Ahrens Vendor Homepage: https://www.acronis.com Version: 12.5 Build 16341 CVE: CVE-2020-16171 VERSIONS AFFECTED ==================== Acronis Cyber Backup v12.5 Build 16327 and probably belo...

Automattic: Stored XSS in Intense Debate comment system

Hi Team, Summary: The Intense Debate comment system is vulnerable to stored xss by users , this would allow for atacking admins/users on the blog , Platforms Affected: Intense Debate comment system Steps To Reproduce: 1. Go to intensedebate.com/moderate/-ID- 2. Go to comments allow images in...

XSS Vulnerability in mblog Blog System

mblog is a Java language development , support for mysql/h2 database , using spring-boot, jpa, shiro, bootstrap and other popular frameworks for the development of open-source free blog system . mblog blog system has an XSS vulnerability , an attacker can exploit the vulnerability to obtain user...

Inrupt’s Solid Announcement

Earlier this year, I announced that I had joined Inrupt, the company commercializing Tim Berners-Lees Solid specification: The idea behind Solid is both simple and extraordinarily powerful. Your data lives in a pod that is controlled by you. Data generated by your things -- your computer, your...

CVE-2020-17049

A security feature bypass vulnerability exists in the way Key Distribution Center KDC determines if a service ticket can be used for delegation via Kerberos Constrained Delegation KCD. To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service...

MileagePHP open source blog system suffers from SQL injection vulnerability

MileagePlus open source PHP blog system is an open source blog system based on ThinkPHP. MileagePlus PHP open source blog system suffers from a SQL injection vulnerability. Attackers can exploit the vulnerability to obtain sensitive database information...

New Book! The Best of TaoSecurity Blog, Volume 3

Introduction I published a new book! The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices is the third title in the TaoSecurity Blog series. It's in the Kindle Store, and if you have an Unlimited account, it's free. I also published a print edition,...

Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)

Exploit Title: Sentrifugo Version 3.2 - 'announcements' Remote Code Execution Authenticated Google Dork: N/A Date: 2020.10.06 Exploit Author: Fatih Çelik Vendor Homepage: https://sourceforge.net/projects/sentrifugo/ Software Link: https://sourceforge.net/projects/sentrifugo/ Blog:...

DEBIAN-CVE-2020-28037

isbloginstalled in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution as well as a denial of service for the old installation...