LLaVul: a Multimodal LLM for Interpretable Vulnerability Reasoning about Source Code

Increasing complexity in software systems places a growing demand on reasoning tools that unlock vulnerabilities manifest in source code. Many current approaches focus on vulnerability analysis as a classifying task, oversimplifying the nuanced and context-dependent real-world scenarios. Even...

Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets

In yet another sign of a lucrative crimeware-as-a-service CaaS ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a...

CVE-2023-23448

Inclusion of Sensitive Information in Source Code in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to gain information about valid usernames via analysis of source code...

Grepmarx - A Source Code Static Analysis Platform For AppSec Enthusiasts

Grepmarx is a web application providing a single platform to quickly understand, analyze and identify vulnerabilities in possibly large and unknown code bases. Features SAST Static Analysis Security Testing capabilities: Multiple languages support: C/C++, C, Go, HTML, Java, Kotlin, JavaScript,...

MAL-2023-6625 Malicious code in selfsplitreplacecraft (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 7df84fb9d259d10ace99c1e37391c7d1a2a641f28aa55e746f5bca57e8b03488 EsqueleSquad group published nearly 6000 malicious PyPi and NPM packages, executing spyware and information-stealing malware...

WP All Import < 3.6.8 - Admin+ Arbitrary File Upload

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE As an admin upload a php file containing the palyload zipped along with a valid XML...

Concrete CMS: A bypass of adding remote files in concrete5 FIlemanager leads to remote code execution

Hi, I 'm currently testing the latest concretecms on my own pc and found some security problems of file manager. Concretecms allows user to upload remote files via file manager. With some techniques to bypass restriction of this function, a evil user will be able to download arbitary php file int...

JSPanda - Client-Side Prototype Pullution Vulnerability Scanner

JSpanda is client-side prototype pollution vulnerability scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code. However, JSpanda cannot detect advanced prototype pollution vulnerabilities. How JSPanda works? Uses multiple...

Exploit for Path Traversal in Atlassian Confluence_Server

Confluence unauthorize template injection CVE-2019-3396...

Information_Collection_Handbook

The repository is an information collection handbook for penetration testing and source code analysis. It contains a collection of tools and resources for gathering information about a target, including domain name information, application information, and source code analysis. The repository...

Microsoft open sources CodeQL queries used to hunt for Solorigate activity

A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, suc...

October CMS Build 465 XSS / File Read / File Deletion / CSV Injection

October CMS = Build 465 Multiple Vulnerabilities Author - Sivanesh Ashok | @sivaneshashok | stazot.com Date : 2020-03-31 Vendor : https://octobercms.com/ Version : = Build 465 Tested on : Build 465 CVE : CVE-2020-5295, CVE-2020-5296, CVE-2020-5297, CVE-2020-5298, CVE-2020-5299, CVE-2020-11083 Las...

ApplicationInspector - A Source Code Analyzer Built For Surfacing Features Of Interest And Other Characteristics To Answer The Question 'What'S In It' Using Static Analysis With A Json Based Rules Engine

Microsoft Application Inspector is a software source code analysis tool that helps identify and surface well-known features and other interesting characteristics of source code to aid in determining what the software is or what it does. Application Inspector is different from traditional static...

CVE-2019-16409

CVE-2019-16409 affects the SilverStripe Versioned Files module up to version 2.0.3 on SilverStripe 3.x. Unpublished file versions are publicly exposed when their URLs are guessed, aided by knowledge of the module’s source code. The issue is a information disclosure due to insufficient access cont...

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

Update April 30: Following the release of our four-part CARBANAK Week blog series, many readers have found places to make the data shared in these posts actionable. We have updated this post to include some of this information. In the previous installment, we wrote about how string hashing was us...

ModSecurity 3.0.0 Cross Site Scripting

Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting Date: 2018-07-02 Vendor Homepage: https://www.modsecurity.org Software: ModSecurity Category: Web Application Firewall Exploit Author: Adipta Basu Tested on: Mac OS High Sierra CVE: N/A Description: ModSecurity 3.0.0 has XSS via an onError...

ModSecurity 3.0.0 - Cross-Site Scripting Vulnerability

Exploit for linux platform in category web applications Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting Vendor Homepage: https://www.modsecurity.org Software: ModSecurity Category: Web Application Firewall Exploit Author: Adipta Basu Tested on: Mac OS High Sierra CVE: N/A Description:...

ModSecurity 3.0.0 - Cross-Site Scripting

ModSecurity 3.0.0 - Cross-Site Scripting. CVE-2018-13065. Webapps exploit for Linux platform. Tags: Cross-Site Scripting XSS Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting Date: 2018-07-02 Vendor Homepage: https://www.modsecurity.org Software: ModSecurity Category: Web Application Firewa...

ReverseAPK - Quickly Analyze And Reverse Engineer Android Packages

Quickly analyze and reverse engineer Android applications. FEATURES: Displays all extracted files for easy reference Automatically decompile APK files to Java and Smali format Analyze AndroidManifest.xml for common vulnerabilities and behavior Static source code analysis for common vulnerabilitie...

Visual Studio Security Extension: Puma Scan

Visual Studio Security Extension Puma Scan is the leading software security Visual Studio analyzer extension. Built on top of Roslyn, the open-source .NET Compiler Platform, Puma Scan provides real time, continuous source code analysis as development teams write code. Vulnerabilities are...