每日安全资讯-2020.10.22

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:Citrix Gateway插件中的多个提权漏洞、GitHub Pages-通过不安全的Kramdown配置的多个RCE、weblogic jndi注入绕过分析复现、在基于Symfony的网站上远程执行代码、从某IM软件RCE漏洞看供应链安全、对HW期间遇到的禅道系统深入挖掘等。

【病毒区】
1、Life of Maze ransomware

【漏洞分析区】
2、Gateway2Hell – Multiple Privilege Escalation Vulnerabilities in Citrix Gateway Plug-In

3、GitHub Pages - Multiple RCEs via insecure Kramdown configuration - $25,000 Bounty

4、CVE-2020-17365 – Hotspot Shield VPN New Privilege Escalation Vulnerability

5、CVE-2020-16938 is a vulnerability that allows you to get unrestricted file read capabilities on the entire disk as unprivileged user.

6、Multiple Address Bar Spoofing Vulnerabilities In Mobile Browsers

7、CVE-2020-15157 “ContainerDrip” Write-up

8、Major Vulnerabilities Discovered in Qualcomm QCMAP

9、RCE in Discord Desktop App via CVE-2020-15174

10、cve 2020-14841 weblogic jndi注入绕过分析复现 附POC

【技术分享区】
11、GitHub Gist - Account takeover via open redirect - $10,000 Bounty

12、Secret fragments: Remote code execution on Symfony based websites

13、AssaultCube RCE: Technical Analysis

14、Firefox Vulnerability Research

15、疫情之下,从某IM软件RCE漏洞看供应链安全
https://www.anquanke.com/post/id/220159

16、对HW期间遇到的禅道系统深入挖掘

17、记一次授权测试到顺手挖一个0day

18、Exploiting Android deep links and exported components

#工具#FinSpy-for-Android:FinSpy for Android technical analysis and tools