New Python-based FBot Hacking Toolkit Aims at Cloud and SaaS Platforms

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems CMS, and SaaS platforms such as Amazon Web Services AWS, Microsoft 365, PayPal, Sendgrid, and Twilio. "Key features include credential harvesting for spamming attacks,...

Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server

This High severity org.apache.tomcat:tomcat-catalina Dependency vulnerability was introduced in versions 9.4.0, 9.7.0, 9.9.0, 9.10.0, 9.11.0, and 9.12.0 of Jira Software Data Center and Server. Jira Software Data Center versions 9.14.0, 9.13.0, 9.13.1 are NOT affected This...

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

tomcat: incorrectly parsed http trailer headers can cause request smuggling

A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy...

PT-2024-2753 · Isc +12 · Bind 9 +12

Name of the Vulnerable Software and Affected Versions: BIND 9 versions 9.0.0 through 9.16.45 BIND 9 versions 9.18.0 through 9.18.21 BIND 9 versions 9.19.0 through 9.19.19 BIND 9 versions 9.9.3-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.45-S1 BIND 9 versions 9.18.11-S1 through...

Exploit for Server-Side Request Forgery in Apache Ofbiz

Go-Exploit for CVE-2023-51467 This repository contains a go-e...

USN-6038-2 golang-1.13, golang-1.16 vulnerabilities

USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. Original advisory details: It was discovered that the Go net/http module incorrectly handled Transfer-Encoding...

SAP Web Dispatcher Security Vulnerability

SAP Web Dispatcher is a core component of Load Balancing from SAP, which supports load balancing and provides reverse proxy functionality to enable external network users to access internal applications. A security vulnerability exists in SAP Web Dispatcher that stems from the fact that under...

Exploit for CVE-2022-36267

CVE-2022-36267 - Airspan AirSpot 5410 Unauthenticated Remote C...

GHSA-V2V2-HPH8-Q5XP @fastify/reply-from JSON Content-Type parsing confusion

Impact The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split. The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won't trim. As a result, a reverse proxy server built with @fastify/reply-from could...

@fastify/reply-from JSON Content-Type parsing confusion

Impact The main repo of fastify use fast-content-type-parse to parse request Content-Type, which will trim after split. The fastify-reply-from have not use this repo to unify the parse of Content-Type, which won't trim. As a result, a reverse proxy server built with @fastify/reply-from could...

CVE-2023-51701

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks...

CVE-2023-51701 @fastify-reply-from JSON Content-Type parsing confusion

fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. A reverse proxy server built with @fastify/reply-from could misinterpret the incoming body by passing an header ContentType: application/json ; charset=utf-8. This can lead to bypass of security checks...

Sea Turtle Cyber Espionage Campaign Targets Dutch IT and Telecom Companies

Telecommunication, media, internet service providers ISPs, information technology IT-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle. "The infrastructure of the...

CVE-2024-21633

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are...

Design/Logic Flaw

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are...

CVE-2024-21633

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are...

CVE-2024-21633

CVE-2024-21633 affects Apktool

Internet Bug Bounty: Request Smuggling in Apache Tomcat (Important, CVE-2023-45648)

A vulnerability in Apache Tomcat versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80, and 8.5.0 to 8.5.93 allowed HTTP request smuggling due to improper parsing of trailer headers. This could be exploited by a remote attacker to bypass security controls when Tomcat was...

Blutter - Flutter Mobile Application Reverse Engineering Tool

Flutter Mobile Application Reverse Engineering Tool by Compiling Dart AOT Runtime Currently the application supports only Android libapp.so arm64 only. Also the application is currently work only against recent Dart versions. For high priority missing features, see TODO Environment Setup This...