7 matches found
CVE-2024-40641
Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In...
CVE-2024-40641
Nuclei (projectdiscovery/nuclei) has a CVE-2024-40641 OS Command Injection vector where unsigned code templates can execute via workflows, exposing arbitrary commands when users can edit/execute workflow files. Connected advisories confirm the root cause is code-template execution without the -co...
Authz0 - An Automated Authorization Test Tool. Unauthorized Access Can Be Identified Based On URLs And RolesAnd Credentials
Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials. URLs and Roles are managed as YAML-based templates, which can be automatically created and added through authz0. You can also test based on multiple authentication headers...
Automating security assessments using Cloud Katana
Today, we are open sourcing Cloud Katana, a cloud-native serverless application built on the top of Azure Functions to assess security controls in the cloud and hybrid cloud environments. We are currently covering only use cases in Azure, but we are working on extending it to other cloud provider...
Sigma Rules to Live Your Best SOC Life
Security Operations is a 24 x 7 job. It does not stop for weekends or holidays or even that much-needed coffee break after the first hour of the shift is complete. We all know this. Every SOC engineer is hoping for some rest at some point. One of my favorite jokes when talking about Security...
FTW - Framework For Testing WAFs
This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules...
CVE-2017-16615
An exploitable vulnerability exists in the YAML parsing functionality in the parseyamlquery method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where...