Full Disclosure Mailing List

• Current Month
• RSS Feed
• About List
• All Lists

A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

List Archives

• Jan
• Feb
• Mar
• Apr
• May
• Jun
• Jul
• Aug
• Sep
• Oct
• Nov
• Dec
• 2024
• 75
• 25
• 44
• 29
• 37
• 5
• –
• –
• –
• –
• –
• –
• 2023
• 29
• 17
• 27
• 14
• 28
• 10
• 52
• 33
• 21
• 32
• 15
• 30
• 2022
• 91
• 57
• 63
• 54
• 48
• 57
• 27
• 17
• 30
• 52
• 26
• 32
• 2021
• 84
• 93
• 81
• 77
• 81
• 60
• 72
• 39
• 59
• 79
• 56
• 50
• 2020
• 52
• 36
• 57
• 63
• 60
• 35
• 37
• 24
• 55
• 34
• 45
• 60
• 2019
• 71
• 54
• 64
• 41
• 52
• 49
• 40
• 37
• 45
• 59
• 34
• 37
• 2018
• 102
• 84
• 79
• 61
• 73
• 46
• 95
• 53
• 57
• 54
• 69
• 56
• 2017
• 99
• 103
• 91
• 113
• 108
• 52
• 95
• 58
• 98
• 71
• 51
• 89
• 2016
• 100
• 128
• 97
• 93
• 75
• 79
• 89
• 139
• 85
• 103
• 162
• 88
• 2015
• 134
• 101
• 165
• 115
• 133
• 112
• 126
• 86
• 121
• 115
• 111
• 129
• 2014
• 194
• 273
• 434
• 325
• 213
• 173
• 167
• 89
• 115
• 135
• 103
• 138
• 2013
• 282
• 162
• 290
• 263
• 227
• 259
• 277
• 303
• 187
• 294
• 222
• 224
• 2012
• 611
• 477
• 390
• 382
• 323
• 428
• 394
• 393
• 210
• 277
• 236
• 280
• 2011
• 580
• 687
• 439
• 561
• 572
• 565
• 367
• 393
• 370
• 995
• 466
• 511
• 2010
• 637
• 502
• 564
• 452
• 408
• 631
• 417
• 445
• 414
• 523
• 342
• 696
• 2009
• 979
• 380
• 465
• 318
• 282
• 291
• 550
• 455
• 421
• 339
• 386
• 502
• 2008
• 615
• 496
• 600
• 821
• 681
• 403
• 591
• 557
• 639
• 531
• 739
• 634
• 2007
• 593
• 629
• 573
• 744
• 555
• 661
• 662
• 530
• 709
• 935
• 582
• 641
• 2006
• 992
• 740
• 1865
• 865
• 789
• 1058
• 770
• 771
• 578
• 678
• 545
• 493
• 2005
• 927
• 676
• 950
• 654
• 678
• 437
• 766
• 1078
• 890
• 677
• 1065
• 1531
• 2004
• 1358
• 1534
• 1499
• 1153
• 1451
• 1031
• 1370
• 1314
• 1091
• 1174
• 1424
• 731
• 2003
• 505
• 405
• 296
• 500
• 421
• 890
• 1251
• 1942
• 1763
• 1806
• 1123
• 782
• 2002
• –
• –
• –
• –
• –
• –
• 314
• 835
• 684
• 381
• 454
• 313

Latest Posts

CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 Thomas Weber via Fulldisclosure (Jun 09)
CyberDanube Security Research 20240604-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| SEH utnserver Pro/ProMAX / INU-100
vulnerable version| 20.1.22
fixed version| 20.1.28
CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422
impact| High
homepage| https://www.seh-technology.com/...

SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) SEC Consult Vulnerability Lab via Fulldisclosure (Jun 09)
SEC Consult Vulnerability Lab Security Advisory < 20240606-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Kiuwan SAST on-premise (KOP) & cloud/SaaS
Kiuwan Local Analyzer (KLA)
vulnerable version: Kiuwan SAST <2.8.2402.3
Kiuwan Local Analyzer <master.1808.p685.q13371...

Blind SQL Injection - fengofficev3.11.1.2 Andrey Stoykov (Jun 09)
# Exploit Title: FengOffice - Blind SQL Injection
# Date: 06/2024
# Exploit Author: Andrey Stoykov
# Version: 3.11.1.2
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/05/friday-fun-pentest-series-6.html

Steps to Reproduce:

1. Login to application
2. Click on "Workspaces"
3. Copy full URL
4. Paste the HTTP GET request into text file
5. Set the injection point to be in the "dim" parameter...

Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution malvuln (Jun 09)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/afe012ed0d96abfe869b9e26ea375824.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Trojan.Win32.DarkGateLoader (multi variants)
Vulnerability: Arbitrary Code Execution
Description: Multiple variants of this malware look for and execute
x32-bit "urlmon.dll" PE file in its current directory. Therefore, we
can...

SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) InfoSec-DB via Fulldisclosure (Jun 09)
Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3)
Google Dork: inurl:"Powered by Boelter Blue"
Date: 2024-06-04
Exploit Author: CBKB (DeadlyData, R4d1x)
Vendor Homepage: https://www.boelterblue.com
Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US
Version: 1.3
Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12
CVE:...

CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 Thomas Weber via Fulldisclosure (May 29)
CyberDanube Security Research 20240528-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| ORing IAP-420
vulnerable version| 2.01e
fixed version| -
CVE number| CVE-2024-5410, CVE-2024-5411
impact| High
homepage| https://oringnet.com/
found| 2024-01-19
by| T. Weber...

HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX Marco Ivaldi (May 29)
Hi,

Please find attached a security advisory that describes multiple
vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS).

* Title: Multiple vulnerabilities in Eclipse ThreadX
* OS: Eclipse ThreadX < 6.4.0
* Author: Marco Ivaldi <marco.ivaldi () hnsecurity it>
* Date: 2024-05-28
* CVE IDs and severity:
* CVE-2024-2214 - High - 7.0 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-2212 - High - 7.3 -...

SEC Consult SA-20240527-0 :: Multiple vulnerabilities in HAWKI didactic interface SEC Consult Vulnerability Lab via Fulldisclosure (May 27)
SEC Consult Vulnerability Lab Security Advisory < 20240527-0 >
=======================================================================
title: Multiple vulnerabilities
product: HAWKI (Interaction Design Team at the University of Applied
Sciences and Arts in Hildesheim/Germany)
vulnerable version: 1.0.0-beta.1, versions before commit 146967f
    fixed version: Github commit 146967f...

SEC Consult SA-20240524-0 :: Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series SEC Consult Vulnerability Lab via Fulldisclosure (May 27)
SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >
=======================================================================
title: Exposed Serial Shell on multiple PLCs
product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)
vulnerable version: All hardware revisions
fixed version: Hardware is EOL, no fix
CVE number: -
impact: Low...

SEC Consult SA-20240522-0 :: Broken access control & API Information Exposure in 4BRO App SEC Consult Vulnerability Lab via Fulldisclosure (May 23)
SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >
=======================================================================
title: Broken access control & API Information Exposure
product: 4BRO App
vulnerable version: before 2024-04-17
fixed version: 2024-04-17
CVE number: -
impact: Critical
homepage: https://www.4bro.de
found: 2023-05-07...

[CFP] Security BSides Ljubljana 0x7E8 | September 27, 2024 Andraz Sraka (May 23)
MMMMMMMMMMMMMMMMNmddmNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMN..-..--+MMNy:...-.-/yNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMy..ymd-.:Mm::-:osyo-..-mMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MM:..---.:dM/..+NNyyMN/..:MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
Mm../dds.-oy.-.dMh--mMds++MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
My:::::/ydMmo..-hMMMmo//omMs/+Mm+++++shNMN+//+//+oMNy+///ohM
MMMs//yMNo+hMh---m:-:hy+sMN..+Mo..os+.-:Ny--ossssdN-.:yyo+mM...

asterisk release 20.8.1 Asterisk Development Team via Fulldisclosure (May 20)
The Asterisk Development Team would like to announce security release
Asterisk 20.8.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/20.8.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 20.8.1

## Change Log for Release asterisk-20.8.1

### Links:

- [Full ChangeLog](...

asterisk release 21.3.1 Asterisk Development Team via Fulldisclosure (May 20)
The Asterisk Development Team would like to announce security release
Asterisk 21.3.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/21.3.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 21.3.1

## Change Log for Release asterisk-21.3.1

### Links:

- [Full ChangeLog](...

asterisk release 18.23.1 Asterisk Development Team via Fulldisclosure (May 20)
The Asterisk Development Team would like to announce security release
Asterisk 18.23.1.

The release artifacts are available for immediate download at
https://github.com/asterisk/asterisk/releases/tag/18.23.1
and
https://downloads.asterisk.org/pub/telephony/asterisk

Repository: https://github.com/asterisk/asterisk
Tag: 18.23.1

## Change Log for Release asterisk-18.23.1

### Links:

- [Full ChangeLog](...

CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Andrea Intilangelo (May 20)
CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium
enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect
your network with the built-in firewall, share your files and much more,...

More Lists

Dozens of other network security lists are archived at SecLists.Org.