每日安全资讯-2020.11.12

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate文件写入远程代码执行漏洞、Microsoft SharePoint Server TOCTOU ControlParameter绑定信息泄露漏洞、渗透测试中python审计0day(pgadmin4)组合拳、从小程序到服务器Shell、DOMPurify < 2.2.2 bypass等。

【病毒区】
1、A new skimmer uses WebSockets and a fake credit card form to steal sensitive data
https://blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html

【漏洞分析区】
2、Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability(CVE-2020-17083) https://srcincite.io/pocs/cve-2020-17083.ps1.txt

3、Microsoft SharePoint Server TOCTOU ControlParameter Binding Information Disclosure Vulnerability(CVE-2020-17017)
https://srcincite.io/pocs/cve-2020-17017.py.txt

4、Firefox Vulnerability Research Part 2

5、Exploring the Exploitability of “Bad Neighbor”: The Recent ICMPv6 Vulnerability (CVE-2020-16898)

【技术分享区】
6、渗透测试中python审计0day(pgadmin4)组合拳

7、从小程序到服务器Shell
https://xz.aliyun.com/t/8489

8、From SVG and back, yet another mutation XSS via namespace confusion for DOMPurify < 2.2.2 bypass

9、Intel Converged Security and Management Engine (Intel CSME) Security White Paper

#工具#XPCSniffer will dump XPC information to a file and the console.