- VayFul®
- Posts
- VayFul Security Issue - June 11 2024
VayFul Security Issue - June 11 2024
VayFul Security - June 11 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Alert! PHP CGI Argument Injection Vulnerability (CVE-2024-4577) - Patch Now! - A critical security vulnerability (CVE-2024-4577) has been discovered in PHP CGI that could allow attackers to inject malicious code into web applications. This vulnerability can be exploited to steal sensitive data, gain unauthorized access to systems, or even take complete control. #php #cve #patch
Exposing Security Flaws in the VS Code Marketplace - The author, Amit Assaraf, argues that the lack of permission management allows malicious extensions to gain extensive access to user data and functionality. It is a wake-up call for developers, urging caution when installing extensions and advocating for stricter security measures within the VS Code ecosystem. #vscode #extension
Confusing URLs Exploited for XXE in SharePoint (CVE-2024-30043) - Vulnerability allows attackers to exploit a flaw in how SharePoint parses URLs. This can be leveraged to perform XXE (XML External Entity) attacks, potentially granting unauthorized access to sensitive data or even server control. Vulnerability affects both SharePoint Server and cloud versions, a patch is readily available. #0day #exploit
New iOS Trojan Steals Faces and More for Deepfakes - Group-IB, has uncovered a new iOS Trojan named GoldPickaxe. This malware targets users in Asia and steals not only banking data and SMS messages, but also facial recognition data and identity documents. Researchers believe the stolen biometrics could be used to create deepfakes for unauthorized access to accounts. #iOS #malware
🔥 INTERESTING WRITEUPS
Reflected XSS on Pangle Endpoint - [5000$ Bounty]
Improper Access Control + Financial fraud allows attacker to disclose + add arbitrary products to another's user's order - [3900$ Bounty]
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash - [3645$ Bounty]
📝 BLOGS & ARTICLES
Automation Tool for Easy P4 - Easy P4 vulnerabilities using Hauditor automation tool. #bugbounty #automation
Communication and Network Security - It explores various security measures implemented during communication and network interactions, empowering you to identify vulnerabilities and take proactive steps to protect your online presence. #communication #network #security
Why Bad Reviews can kill your software - The article dives into user expectations for speed, responsiveness, and stability, highlighting areas where software can fail and attract negative feedback. It also suggests strategies for building a strong reputation, like focusing on user experience and addressing customer concerns promptly. #code-reviews #secure-coding
Hacking Millions of Modems (and Investigating Who Hacked My Modem) - Millions of Modems Vulnerable! Researcher Exposes Backdoor in Cox Business Portal. This backdoor gave attackers access to sensitive customer information, modify settings, and even execute commands on the devices. #modems #backdoor
🛠️TOOLS
Aiodnsbrute - Bruteforce domain names asynchronously.#dns #bruteforce
PIP-INTEL - OSINT (Open Source Intelligence) tool designed using various open-source tools and pip packages. #osint #intel
nowafpls - Burp Plugin to Bypass WAFs through the insertion of Junk Data. #burp #plugin
🧠 TUTORIALS & SKILL-BUILDING
How I Met Your Data - Troy Hunt - NDC Sydney 2024 - In "How I Met Your Data," we dive into the thrilling world of data breaches, exploring the often-untold stories from the front lines. #data #security
Secure AI: Integrating OWASP Principles in Machine Learning Model Development- Haritha Thilakarathne - It's time to delve into the critical intersection of cybersecurity and artificial intelligence. Let's explore the integration of Open Web Application Security Project (OWASP) principles into machine learning model development processes. Addressing vulnerabilities and ensuring data privacy are paramount as AI technologies become more prevalent. #Owasp #AIML
Demystifying Web API Security in Azure - Jimmy Bogard - NDC Sydney 2024 - Building APIs can be easy, but securing them is hard. We have external and internal applications, APIs, users, and more. Each might use a different authentication and authorization strategy, depending on customer and system needs. The stakes are high and there is no margin for error! #API #websecurity #Azure
🎁 MISCELLANEOUS
Level up with GitHub Copilot: using AI to learn, code, and build - Michelle "MishManners" Duke - It's time you meet your AI pair programmer. Do you find yourself stuck on a chunk of code? Unsure of how best to center a div? GitHub Copilot can help. Get unstuck by seeing suggested lines or code, whole functions, and learn more about your development journey through having code explained, and even translate your code into other languages. #AI #coding
What you can learn from an open-source project with 300 million downloads - Dennis Doomen - After more than 10 years of development, our pet project, Fluent Assertions has almost reached 300 million downloads. Providing a high quality library like that doesn't come for free. We've been trying to write code that is clean enough for our contributors, write tests that are self-explanatory, ensure breaking changes are strictly controlled and try to make it easy to use. #open-source #software #development
🎯 QUOTE OF THE DAY
“The path to success is to take massive, determined action.”
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team