ACSC Releases Advisory on Cyber Campaign using Copy-Paste Compromises

The Australian Cyber Security Centre ACSC has released an advisory regarding an ongoing cyber campaign involving “copy-paste compromises” targeting Australian government and commercial networks. According to the advisory, a sophisticated malicious cyber actor is carrying out the campaign using...

CVE-2020-13261

Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code...

CVE-2020-13261

Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code...

CVE-2020-13261

CVE-2020-13261 affects GitLab CE/EE 12.6 through 13.0.1, where Amazon EKS credentials can be disclosed to other administrators via HTML source code. Connected sources confirm the vulnerability and affected ranges, but do not provide concrete exploit steps or a published remediation version. The i...

CVE-2020-13261

Amazon EKS credentials disclosure in GitLab CE/EE 12.6 and later through 13.0.1 allows other administrators to view Amazon EKS credentials via HTML source code...

CVE-2020-13261

Removed by vendor...

DNS as Code

Infrastructure as Code IaC and Continuous Delivery methods have become increasingly popular amongst development and operations teams as a means of maintaining high-performing websites. Code repositories, build servers, and configuration management systems are now industry standards, as these tool...

RATELIMITED: Source code disclosure at ███

Summary: Source code disclosure at ███████ Steps To Reproduce: POC: link download source code: ███████ Supporting Material/References: █████ ███████ Impact Source Code Disclosure Sensitive Information Disclosure...

Mail.ru: Source code and internal credentials disclosure

Sensitive application configuration data disclose on registry.infra.mail.ru...

h1-ctf: [H1-2006] CTF Writeup

H1-2006 CTF Writeup I am fairly new to CTFs - this is just my second CTF after H1-415 CTF, at which I didn't get far at all. I think the most valuable thing I can do for anyone who comes across this writeup, is to describe exactly what I was thinking at each step along the way, including all my...

h1-ctf: [H1-2006 2020] CTF Writeup

Summary: The CTF's objective could be found in the following Twitter post: F858468 As outlined on https://hackerone.com/h1-ctf, all subdomains of bountypay.h1ctf.com are in scope. Doing subdomain enumeration revealed the following subdomains: api.bountypay.h1ctf.com app.bountypay.h1ctf.com...

h1-ctf: [H1-2006 2020] CTF Writeup!

The Beginning ===================== The scope of the H1-2006 CTF was .bountypay.h1ctf.com. After opening https://bountypay.h1ctf.com, I noticed that on the top left of the screen there was a dropdown with two login pages: one for Customers https://app.bountypay.h1ctf.com/ and one for Staff...

Clinic Management System 1.0 SQL Injection

Exploit Title: Clinic Management System 1.0 - Authentication Bypass Google Dork: N/A Date: 2020-06-02 Exploit Author: BKpatron Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html Software Link:...

ownCloud: File System Monitoring Queue Overflow

in the source code "owncloud/client" in the file "src/gui/folderwatcherlinux.cpp" in the function "void FolderWatcherPrivate :: inotifyRegisterPath const QString & path" by calling "inotifyaddwatch" the file paths are set for monitoring cpp int wd = inotifyaddwatchfd, path.toUtf8.constData,...

Glassdoor: Unauthorized usage of External API Key (Usage of Google Maps API Key ==> $$$

A Google Maps API key was found in the source code of a Glassdoor webpage, which allowed unauthorized usage of the API. The API key was not configured securely...

Hefei Tianxun Information Technology Co., Ltd. pushes Couponer CMS with SQL injection vulnerability

Push Couponer CMS is a completely free Taobao coupon website source code program. Ltd. Push Couponer CMS has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information from the database...

Cherokee Web Server <= 1.2.104 Multiple Vulnerabilities

Cherokee Web Server is prone to multiple vulnerabilities. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you...

CVE-2020-1945

This CVE (CVE-2020-1945) affects Apache Ant. Connected Arch Linux advisory ASA-202005-15 confirms the vulnerability exists in ant before version 1.10.8-1, where Ant uses java.io.tmpdir for several tasks and can leak sensitive information. The fixcrlf and replaceregexp tasks may copy files from th...

FreeBSD-SA-20:15.cryptodev

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:15.cryptodev Security Advisory The FreeBSD Project Topic: Use after free in cryptodev module Category: core Module: cryptodev Announced: 2020-05-12 Credits:...

FreeBSD-SA-20:14.sctp

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:14.sctp Security Advisory The FreeBSD Project Topic: Improper checking in SCTP-AUTH shared key update Category: core Module: kernel Announced: 2020-05-12...