CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication
CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
OSINT and Cybersecurity accounts in Mastodon
Feel free to add yourself to this Github repository
Developers of OSINT tools
OSINT books authors
Cybersecurity tools creators
CVE-2022-45462: Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability
CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection)
CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to re…
CVE-2022-40189: Apache Airlfow Pig Provider RCE
CVE-2022-45470: Apache Hama allows XSS and information disclosure
CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability
Here's a neat #Mastodon trick I just discovered:
You can access an RSS feed of any user's posts simply by adding .rss onto the end of their profile URL — so, for instance:
You can then use that link to follow all of that person's posts in Feedly, Feedbin, or any other RSS reading service.
Heck, you can even do it directly in #Chrome, if you want!
Abusing Wi-Fi to localize someone's devices inside their room. Attacker spoofs beacons to pretend there's buffered traffic for all clients. Every clients will request this traffic and thereby reveal their MAC address. Fake frames are sent to the victim and the time-of-flight of the response (here the response is an acknowledgement frame) is used for localization
Free PDF access: https://randompaper1234.tiiny.site/
Official paper website: https://dl.acm.org/doi/abs/10.1145/3495243.3560530
This can be done from cheap drones. They used an ultra-light DJI mini 2 drone with two lightweight Wi-Fi chips: an ESP8266 & ESP32. Idea is that you can now "look inside a room" and learn where devices are located. For instance, you can learn the location of Wi-Fi security cameras.
CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example
CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code
CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB
CVE-2022-40308: Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files
🎉 #Mastodon 4.0 is out now! This server software update includes a ton of improvements, like following hashtags, translating posts, editing, an improved filtering system, customizable user roles for administration, but also some important security fixes.
Check out the full changelog:
Music, open source, offensive security, reverse engineering and applied machine learning.
A mastodon instance for useful and friendly bots.