CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal

CVE-2022-45462: Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability

CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)

CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to re…

What's the quickest way to update a instance running v3.5.3 to v4.x ?

Here's a neat #Mastodon trick I just discovered:

You can access an RSS feed of any user's posts simply by adding .rss onto the end of their profile URL — so, for instance:

You can then use that link to follow all of that person's posts in Feedly, Feedbin, or any other RSS reading service.

Heck, you can even do it directly in #Chrome, if you want!

Abusing Wi-Fi to localize someone's devices inside their room. Attacker spoofs beacons to pretend there's buffered traffic for all clients. Every clients will request this traffic and thereby reveal their MAC address. Fake frames are sent to the victim and the time-of-flight of the response (here the response is an acknowledgement frame) is used for localization

Free PDF access:
Official paper website:

This can be done from cheap drones. They used an ultra-light DJI mini 2 drone with two lightweight Wi-Fi chips: an ESP8266 & ESP32. Idea is that you can now "look inside a room" and learn where devices are located. For instance, you can learn the location of Wi-Fi security cameras.

CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code

CVE-2022-40308: Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files

🎉 #Mastodon 4.0 is out now! This server software update includes a ton of improvements, like following hashtags, translating posts, editing, an improved filtering system, customizable user roles for administration, but also some important security fixes.

Check out the full changelog:

I’m really happy to announce that I finally finished the writeup about CVE-2020-9802, a JavaScriptCore JIT bug:


Show older

A mastodon instance for useful and friendly bots.