XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748) - watchTowr Labs
https://ift.tt/vr0xo8R
Submitted April 01, 2025 at 03:42PM by dx7r__
via reddit https://ift.tt/u2FSVnz
https://ift.tt/vr0xo8R
Submitted April 01, 2025 at 03:42PM by dx7r__
via reddit https://ift.tt/u2FSVnz
watchTowr Labs
XSS To RCE By Abusing Custom File Handlers - Kentico Xperience CMS (CVE-2025-2748)
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution - any serious vulnerability, or
When parameterization fails: SQL injection in Nim's db_postgres module using parameterized queries
https://ift.tt/L7KMraZ
Submitted April 01, 2025 at 05:11PM by crower
via reddit https://ift.tt/tacTIbP
https://ift.tt/L7KMraZ
Submitted April 01, 2025 at 05:11PM by crower
via reddit https://ift.tt/tacTIbP
blog.nns.ee
When parameterization fails: SQL injection in Nim's db_postgres module using parameterized queries
Ethical Hacking and Cybersecurity Blog
Simplify Your OIDC Testing with This Tool
https://ift.tt/cjkUMre
Submitted April 01, 2025 at 06:13PM by Davidnkt
via reddit https://ift.tt/otr9218
https://ift.tt/cjkUMre
Submitted April 01, 2025 at 06:13PM by Davidnkt
via reddit https://ift.tt/otr9218
oidc-tester.compile7.org
OIDC Tester
A tool to test OIDC integrations
/r/netsec's Q2 2025 Information Security Hiring Thread
OverviewIf you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.Please reserve top level comments for those posting open positions.Rules & GuidelinesInclude the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.If you are a third party recruiter, you must disclose this in your posting.Please be thorough and upfront with the position details.Use of non-hr'd (realistic) requirements is encouraged.While it's fine to link to the position on your companies website, provide the important details in the comment.Mention if applicants should apply officially through HR, or directly through you.Please clearly list citizenship, visa, and security clearance requirements.You can see an example of acceptable posts by perusing past hiring threads.FeedbackFeedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Submitted April 02, 2025 at 12:39AM by netsec_burn
via reddit https://ift.tt/adSB8fM
OverviewIf you have open positions at your company for information security professionals and would like to hire from the /r/netsec user base, please leave a comment detailing any open job listings at your company.We would also like to encourage you to post internship positions as well. Many of our readers are currently in school or are just finishing their education.Please reserve top level comments for those posting open positions.Rules & GuidelinesInclude the company name in the post. If you want to be topsykret, go recruit elsewhere. Include the geographic location of the position along with the availability of relocation assistance or remote work.If you are a third party recruiter, you must disclose this in your posting.Please be thorough and upfront with the position details.Use of non-hr'd (realistic) requirements is encouraged.While it's fine to link to the position on your companies website, provide the important details in the comment.Mention if applicants should apply officially through HR, or directly through you.Please clearly list citizenship, visa, and security clearance requirements.You can see an example of acceptable posts by perusing past hiring threads.FeedbackFeedback and suggestions are welcome, but please don't hijack this thread (use moderator mail instead.)
Submitted April 02, 2025 at 12:39AM by netsec_burn
via reddit https://ift.tt/adSB8fM
Reddit
From the netsec community on Reddit
Explore this post and more from the netsec community
Improved detection signature for the K8s IngressNightmare vuln
https://ift.tt/kIj3QsD
Submitted April 02, 2025 at 04:21AM by nathan_warlocks
via reddit https://ift.tt/L0PROZi
https://ift.tt/kIj3QsD
Submitted April 02, 2025 at 04:21AM by nathan_warlocks
via reddit https://ift.tt/L0PROZi
Praetorian
An Improved Detection Signature for the Kubernetes IngressNightmare Vulnerability | Praetorian
Learn about our improved detection signature for Kubernetes Ingress Nightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514) that accurately identifies vulnerable NGINX Ingress controller versions, including v1.12.0 which other templates miss.
peeko – Browser-based XSS C2 for stealthy internal network exploration via victim's browser.
https://ift.tt/nM0ETDG
Submitted April 02, 2025 at 03:28AM by b3rito
via reddit https://ift.tt/xtqMyk0
https://ift.tt/nM0ETDG
Submitted April 02, 2025 at 03:28AM by b3rito
via reddit https://ift.tt/xtqMyk0
GitHub
GitHub - b3rito/peeko: peeko – Browser-based XSS C2 for stealthy internal network exploration via infected browser.
peeko – Browser-based XSS C2 for stealthy internal network exploration via infected browser. - b3rito/peeko
Hacking the Call Records of Millions of Americans
https://ift.tt/RIu4l9T
Submitted April 02, 2025 at 03:54PM by techdash
via reddit https://ift.tt/93T7HqB
https://ift.tt/RIu4l9T
Submitted April 02, 2025 at 03:54PM by techdash
via reddit https://ift.tt/93T7HqB
Evan Connelly
Hacking the Call Records of Millions of Americans
Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user.
Now imagine…
Now imagine…
Loose Types Sink Ships: Pre-Authentication SQL Injection in Halo ITSM
https://ift.tt/IPXtsrM
Submitted April 02, 2025 at 06:29PM by Mempodipper
via reddit https://ift.tt/PLVKGu1
https://ift.tt/IPXtsrM
Submitted April 02, 2025 at 06:29PM by Mempodipper
via reddit https://ift.tt/PLVKGu1
Searchlight Cyber
Pre-Auth SQL Injection in Halo ITSM › Searchlight Cyber
Halo ITSM is an IT support management software that can be deployed on-premise or in the cloud. Currently, there are around ~1000 cloud deployments of this software under the haloitsm.com domain, not accounting for all the on-premise deployments. This software…
This framework doesn’t hide files. It erases their existence until reassembly.
https://ift.tt/G21uYcL
Submitted April 02, 2025 at 08:52PM by CLKnDGGR
via reddit https://ift.tt/E9Q78OC
https://ift.tt/G21uYcL
Submitted April 02, 2025 at 08:52PM by CLKnDGGR
via reddit https://ift.tt/E9Q78OC
Medium
The Threat You Can’t Scan For
Why Detection Is Dead Without Presence
Safari extension to inspect IPs, ASNs, and countries in 1 click — fully private (built this myself)
https://ift.tt/0NxOj97
Submitted April 03, 2025 at 01:33AM by mad_qubik
via reddit https://ift.tt/ePTcZW4
https://ift.tt/0NxOj97
Submitted April 03, 2025 at 01:33AM by mad_qubik
via reddit https://ift.tt/ePTcZW4
App Store
IP Domain Flag Info
Discover comprehensive IP information effortlessly with our enhanced Safari extension! Whenever you visit a website, instantly reveal accurate server IP data (prioritizing IPv4):
- Country and flag
- ISP / Organization
- Connection type (if available)
…
- Country and flag
- ISP / Organization
- Connection type (if available)
…
Finding an Unauthenticated RCE nday in Zendto, patched quietly in 2021. Lots of vulnerable instances exposed to the internet.
https://ift.tt/hegYZQC
Submitted April 03, 2025 at 03:23AM by ezzzzz
via reddit https://ift.tt/sfAnFTe
https://ift.tt/hegYZQC
Submitted April 03, 2025 at 03:23AM by ezzzzz
via reddit https://ift.tt/sfAnFTe
Research Blog | Project Black
ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4
Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched.
New Threat and Vulnerability Intelligence Database
https://ift.tt/sIclY8X
Submitted April 03, 2025 at 01:16PM by ethicalhack3r
via reddit https://ift.tt/8RLBfVI
https://ift.tt/sIclY8X
Submitted April 03, 2025 at 01:16PM by ethicalhack3r
via reddit https://ift.tt/8RLBfVI
cyberalerts.io
Stay one step ahead of the latest threats and vulnerabilities with vulnerability alerts and threat alerts. Cut through the noise and focus on what matters to your business with advanced alert filtering.
Intercepting MacOS XPC
https://ift.tt/G7Mkey6
Submitted April 03, 2025 at 11:23PM by Ano_F
via reddit https://ift.tt/5713ElL
https://ift.tt/G7Mkey6
Submitted April 03, 2025 at 11:23PM by Ano_F
via reddit https://ift.tt/5713ElL
Medium
Intercepting MacOS XPC
Intercepting XPC Messages With Frida
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
https://ift.tt/Tw134Vf
Submitted April 03, 2025 at 11:03PM by ethicalhack3r
via reddit https://ift.tt/OTVxzFR
https://ift.tt/Tw134Vf
Submitted April 03, 2025 at 11:03PM by ethicalhack3r
via reddit https://ift.tt/OTVxzFR
Google Cloud Blog
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud…
Talk To Your Malware - Integrating AI Capability in an Open-Source C2 Agent
https://ift.tt/1lyAdNn
Submitted April 04, 2025 at 03:43AM by obilodeau
via reddit https://ift.tt/WdQJi9y
https://ift.tt/1lyAdNn
Submitted April 04, 2025 at 03:43AM by obilodeau
via reddit https://ift.tt/WdQJi9y
GoSecure
Talk To Your Malware - Integrating AI Capability in an Open-Source C2 Agent
Explore how AI-enabled implants can generate and execute custom malware commands on the fly, no coding required.
Open-source Compliance
https://trycomp.ai/
Submitted April 04, 2025 at 01:25PM by Indiemarketing
via reddit https://ift.tt/EVCaKHp
https://trycomp.ai/
Submitted April 04, 2025 at 01:25PM by Indiemarketing
via reddit https://ift.tt/EVCaKHp
Comp AI
Comp AI - SOC 2 - HIPAA - GDPR - ISO 27001 made effortless
AI that handles compliance for you at startup speed. The effortless way to get SOC 2, HIPAA, GDPR, and ISO 27001 compliant in hours, not months.
Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457) - watchTowr Labs
https://ift.tt/AeQY1N0
Submitted April 04, 2025 at 07:20PM by dx7r__
via reddit https://ift.tt/SbJRyX9
https://ift.tt/AeQY1N0
Submitted April 04, 2025 at 07:20PM by dx7r__
via reddit https://ift.tt/SbJRyX9
watchTowr Labs
Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
What's that Skippy? Another Ivanti Connect Secure vulnerability?
At this point, regular readers will know all about Ivanti (and a handful of other vendors of the same class of devices), from our regular analysis.
Do you know the fun things about these posts?…
At this point, regular readers will know all about Ivanti (and a handful of other vendors of the same class of devices), from our regular analysis.
Do you know the fun things about these posts?…
ServiceRadar 1.0.28 - Open Source Network Monitoring and Observability
https://ift.tt/Z1fGBbo
Submitted April 06, 2025 at 10:00AM by ChaseApp501
via reddit https://ift.tt/pfhJS1n
https://ift.tt/Z1fGBbo
Submitted April 06, 2025 at 10:00AM by ChaseApp501
via reddit https://ift.tt/pfhJS1n
New attack vector on AI toolchains: Tool Poisoning in MCPs (Machine Code Models)
https://ift.tt/HxczY6O
Submitted April 07, 2025 at 04:49AM by VonNaturAustreVe
via reddit https://ift.tt/Y0ZrcTa
https://ift.tt/HxczY6O
Submitted April 07, 2025 at 04:49AM by VonNaturAustreVe
via reddit https://ift.tt/Y0ZrcTa
invariantlabs.ai
MCP Security Notification: Tool Poisoning Attacks
We have discovered a critical vulnerability in the Model Context Protocol (MCP) that allows for
[CVE-2025-32101] UNA CMS <= 14.0.0-RC4 PHP Object Injection
https://ift.tt/wN9PHKz
Submitted April 07, 2025 at 09:02PM by eg1x
via reddit https://ift.tt/V45PWDe
https://ift.tt/wN9PHKz
Submitted April 07, 2025 at 09:02PM by eg1x
via reddit https://ift.tt/V45PWDe
Karmainsecurity
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability | Karma(In)Security
This is the personal website of Egidio Romano, a very curious guy from Sicily, Italy. He's a computer security enthusiast, particularly addicted to webapp security.
Dependency Injection for Artificial Intelligence (DI4AI)
https://ift.tt/qKy6grH
Submitted April 08, 2025 at 04:25PM by FoxInTheRedBox
via reddit https://ift.tt/v617P2z
https://ift.tt/qKy6grH
Submitted April 08, 2025 at 04:25PM by FoxInTheRedBox
via reddit https://ift.tt/v617P2z