TL;DR Gogs is an open source self-hosted Git service. In the version 0.13.2 and prior, there is a stored Cross-Site Scripting (XSS) vulnerability, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3. […]
Non proverò a farvi tornare alla memoria la vostra infanzia da nerd, i primi computer o con quale software vi siete approcciati all’informatica (io non mi ricordo ad essere onesto, qualcosa come Bearshare o MSN…). Preferisco piuttosto parlare degli errori che ho fatto, cosa faccio oggi e dove spero di arrivare tra qualche anno. Buona […]
Introduction Effective cybersecurity relies not only on robust defense mechanisms but also on swift and coordinated incident response procedures. However, even well-prepared organizations can suffer critical failures if response protocols are not strictly followed. This article examines a real-world scenario where a Blue Team’s failure to act decisively during an ongoing cyberattack led to significant […]
TL;DR A Server-Side Template Injection (SSTI) vulnerability in spacy-llm <= v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field. Update spacy-llm to version v0.7.3 or later. What is spaCy spaCy is an open-source software library for advanced natural language processing (NLP), written in the programming languages Python and […]
Introduction Serialization and deserialization mechanisms are always risky operations from a security point of view. In most languages and frameworks, if an attacker is able to deserialize arbitrary input (or just corrupt it as we have demonstrated years ago with the Rusty Joomla RCE) the impact is usually the most critical: Remote Code Execution. Without […]
Introduction In the previous blog post we have covered some internal parts of the codebase that are involved in the intent registration and resolution process. In this one we are going to deepen Deep and App Link resolutions in the Android Operating System and its remote Attack Surface. Deep and App Links are data components […]
Introduction From the official Android documentation, the Intent is described as “an abstract description of an operation to be performed”. Conceptually, it can be simplified as an “intention to do something with another application” across Inter-Process Communication (IPC). One of the most interesting facility that intents offer is the implicit resolution. An application can explicitly […]
Preface. In today’s interconnected world, operational security (OPSEC) is of greater importance than ever before. OPSEC, a process traditionally associated with military and intelligence operations, has evolved into a critical component of digital security, privacy, and personal safety. However, the understanding and implementation of OPSEC procedures are often fragmented, despite its widespread usage across industries […]
PREMESSA Il 27 dicembre 2022 è stato pubblicato sulla Gazzetta Ufficiale dell’Unione Europea il Digital Operational Resilience Act (DORA), Regolamento 2022/2554, con l’obiettivo di stabilire misure e controlli per migliorare la resilienza del settore finanziario. Il Regolamento ha definito ed armonizzato i requisiti di resilienza digitale per tutto il settore finanziario europeo, disciplinando per l’ambito […]
Introduction In the previous parts of the series (Part 1 and Part 2) we have targeted the Lorex IP Camera. As discussed, we put too much effort on the initial phase without doing actual vulnerability research on it. We had few days left and another target available, the Ubiquiti AI Bullet. We are going to […]