The US Federal Energy Regulatory Commission spells out what electric utilities should do to protect their software supply chains, as well as their network "trust zones."

Source: Rudmer Zwerver via Alamy Stock Photo

Attacks targeting SolarWinds and MOVEit in recent years have spotlighted supply chain risks in cybersecurity. In the wake of recent high-profile incidents at utilities, including one last week in Kansas, the US Federal Energy Regulatory Commission (FERC) called for updating standards for supply chain safety to improve the resilience of the US bulk power system.

At its September meeting, FERC asked the energy industry consortium North American Electric Reliability Corporation (NERC) to create a better supply chain security standard for power plants. Such utilities would have to:

*   Identify supply chain risks to electrical grid-related cybersecurity systems at regular intervals.
    
*   Assess and validate the information vendors submit during procurement.
    
*   Document, track, and respond to those risks.
    

The commission also directed NERC to add protected cyber assets (PCAs) to the systems subject to this supply chain scrutiny.

**Internal Network Security Monitoring on the Docket**

At that same meeting, FERC also addressed a new reliability standard for critical infrastructure protection that mandates monitoring of network traffic inside an electronic security perimeter.

Internal network security monitoring (INSM) monitors communication between devices inside the "trust zone" of a network, providing a backstop for detecting malicious activity that slipped through the security perimeter. In addition to allowing an early warning about intrusions, this east-west visibility provides a more complete picture of the scope of an attack.

At the meeting, FERC "proposed to approve" Reliability Standard CIP-015-1 but asked NERC to extend INSM to systems outside of the electronic security perimeter, such as physical and electronic access control systems.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

FERC Outlines Supply Chain Security Rules for Power Plants

For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues.

Source: Photon Photo via Shutterstock

AI assistants are a double-edged sword for developers. On one hand, code-generation assistants have made creating barebones applications easier and led to a surge in code pushed to GitHub. Yet just as easy? Generating code with defects and vulnerabilities.

As a result, application security teams serving large development groups are seeing growing application vulnerability reports — a large portion of which are false positives. In fact, nearly a third of teams (31%) find the majority of reported vulnerabilities are false positives, according to software security firm Snyk's "2023 State of Open Source Security" report.

In the face of growing volumes of code submissions and continuing problems with false positives, application security teams are relying on reachability analysis as an important way to prioritize their remediation requests. Because only 10% to 20% of imported code is typically used by a specific application, determining whether the code is reachable by an attacker — and thus likely exploitable — can dramatically reduce the number of vulnerabilities that need to be patched, says Joseph Hejderup, technical staff member at Endor Labs, who presented on the topic at SOSS Community Day Europe 2024 in September. This makes it possible to prioritize vulnerability reports, he says.

"With software composition analysis — without looking into the code — we are essentially assuming that if you use this library, you're using all this functionality, where in reality we know that you're only using part of the library," Hejderup says. "By going down to the source code, you can see whether this particular vulnerable part of the code is used or not used."

Static application security testing (SAST) tools continue to evolve and have a proven return on investment (ROI), especially if they are used to catch software defects during development time, when the cost of fixing a bug is lower. However, false positives reduce the benefits of SAST tools and undermine developer trust in the tools.

**False Positives, Lack of Context Remain Problems**

Overall, 61% of developers believe the faster cadence of development with automation has increased the number of false positives, according to Snyk's report. For application security teams, finding ways to reduce the volume of vulnerabilities discovered in dozens or hundreds of projects into a more manageable burden is critical, says Randall Degges, head of developer relations at Snyk.

"Each of those projects has hundreds — maybe thousands of vulnerabilities — and a lot of them look scary, like these critical RCE vulnerabilities," he says. "Reachability is really a nice way to kind of calm yourself down as a security team and not stress your teams out because, if you're able to successfully filter the vulnerabilities that you see based on, 'Are they even being executed, like in our code base or not,' that's a really big benefit to security teams."

Overall, companies can reduce their remediation work by 60%, just by excluding unreachable code. One study found that, while 71% of Java applications consist of open source code, applications used only about 12% of that code.

Combining reachability with other contextual information — such as exploitability and business impact — reduces the workload even further. In an analysis of 106 million alerts from 900 organizations, or an average of about 118,000 alerts per organization, reachability analysis reduced the workload by 99.5% — or down to about 660 alerts per organization, according to application security firm OX Security.

Reporting fewer vulnerabilities back to developers can help reduce friction between the two groups, says Katie Teitler-Santullo, cybersecurity strategist with OX Security.

"A lot of the frustration happens because tools aren't able to reduce the noise and focus on the prioritization that developers need \[in order\] to move at the speed of development versus the speed of security," she says.

**Source Code Analysis or Instrumentation**

Typically, there are two approaches to reachability analysis. One is static code analysis focused on building graphs of the function calls in the applications and determining whether specific code can be executed. The determination is not always simple: A conditional statement may be executed only once in hundred or thousands calls — or never — and so application security tools have to determine whether that constitutes a threat.

Snyk, for example, errs on the side of work reduction. If there is a conditional statement, the company's tools will ignore the minor branches and just focus on the likely outcome, says Snyk's Degges.

"We look for things where we can 100% definitively trace it down there, and say that, 'Yes, this is reachable,'" he says. "The trade-off for that is that some things may be marked as not reachable, even though they are. But the benefit is that people aren't getting a bunch of false alerts."

Another approach is to instrument the application and the code, determining at runtime what functions are being executed and label that code as reachable.

Whether a vulnerability in the code can be exploited is another level of investigation. Endor Lab's Hejderup expects companies to be able to filter down to code that is reachable and provably exploitable as the next step.

"This type of more advanced, sophisticated analysis would likely be the next level within reachability analysis," he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Reachability Analysis Pares Down Static Security-Testing Overload

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by…

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by enabling “Privacy Preserving Attribution” (PPA), a tracking feature in Firefox, by default without user consent.

The European Center for Digital Rights (NOYB) based in Vienna, Austria has lodged a formal complaint against Mozilla, accusing the company of turning its Firefox browser into a “tracking tool” through the introduction of a privacy feature known as Privacy Preserving Attribution (PPA).

In **July 2024**, Mozilla included the PPA feature in its Firefox update version 128.0. According to Mozilla, PPA is intended to help advertisers understand ad effectiveness without allowing individual websites to collect personal user data. Instead, Firefox itself aggregates ad interaction data on behalf of users before passing this information to advertisers. Mozilla presents this as a balanced solution that maintains user privacy while meeting advertising needs.

However, NOYB sees it differently. The advocacy group claims that PPA effectively turns Firefox into a tool that enables tracking, simply moving the data collection from websites to the browser itself.

According to NOYB’s **report**, the PPA feature violates users’ rights under the European Union’s General Data Protection Regulation (**GDPR**), as it involves data processing without obtaining explicit user consent.

****Concerns Over Default Activation and Lack of Transparency****

NOYB’s main criticism is directed at Mozilla’s implementation of PPA. The feature was enabled by default without notifying users or seeking their consent, making it an opt-out rather than an opt-in system.

NOYB compares this approach to Google’s controversial **Privacy Sandbox**, which also faced criticism for centralizing user tracking within the browser. Felix Mikolasch, a data protection lawyer at NOYB, remarked, “Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool.”

According to the organization, the alleged lack of transparency has further alarmed privacy advocates, as users were neither informed about the feature nor given the opportunity to decide whether they wanted to participate. Mikolasch added, “It’s a shame that an organization like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice, and the feature should have been turned off by default.”

Mozilla has long been **recognized as a privacy-focused company,** particularly as other popular browsers have been criticized for invasive data collection practices. This recent move, however, has called that reputation into question. PPA, while potentially less invasive compared to third-party cookies, nonetheless involves tracking that most users are unaware of, which has led NOYB to demand regulatory scrutiny.

****How to Disable Privacy Preserving Attribution in Firefox Browser?****

For users wanting to disable Privacy Preserving Attribution, Mozilla has **provided** an opt-out process that requires navigating Firefox settings:

*   Click the **menu button** and select **Settings**.
*   Navigate to the **Privacy & Security** section.
*   Under **Website Advertising Preferences**, uncheck the box labeled **“Allow websites to perform privacy-preserving ad measurement”**.

Nevertheless, NOYB has filed a complaint with the Austrian Data Protection Authority (Available **here** (PDF) in English), asking them to investigate Mozilla’s behaviour. The advocacy group demands that Mozilla switch the feature to an opt-in system and properly inform users about the data collection. Moreover, NOYB insists that Mozilla should delete any data processed without proper user consent.

1.  **Avast Fined Millions for Selling User Browsing Data**
2.  **Why Browser Security Matters More Than You Think**
3.  **Apple Safari Safest, Google Chrome Riskiest Browser**
4.  **Mullvad VPN and Tor Project Release Mullvad Browser**
5.  **How much does a data breach cost? + How to prevent it**

Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature

### Summary
A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.

### Details
Here's the offending line:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137

This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c

### PoC
1. Login
2. Go to Special:Preferences
3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>`
4. Save your settings and use Citizen if it's not being used already

![](https://github.com/user-attachments/assets/22adbb70-fcd7-4f81-8e53-1f5f3a730270)

### Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only. 

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-62r2-gcxr-426x:  starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

### Impact

basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information

### Patches

this issue has been fixed in basic-auth-connect 1.1.0

### References


GHSA-7p89-p6hx-q4fw: basic-auth-connect's callback uses time unsafe string comparison

Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. 

### Impact
Disclosure of private system profiles: Platform, OS, OS version, Description.

### Patches
Work in progress

### Workarounds
None

### References
https://mantisbt.org/bugs/view.php?id=34640


GHSA-h5q3-fjp4-2x7r: MantisBT vulnerable to information disclosure with user profiles

Microsoft warns that ransomware group Storm-0501 has shifted from buying initial access to leveraging weak credentials to gain on-premises access before moving laterally to the cloud.

Source: Vitali Gulenok via Alamy Stock Photo

Adversaries have caught on to the complexity that cybersecurity teams face in securing hybrid cloud environments — the latest of which is a particularly odious group tracked as "Storm-0501," a cash-grab operation that regularly targets the most vulnerable organizations, including schools, hospitals, and law enforcement across the US.

Storm-0501 has been around since 2021, according to a new report from Microsoft Threat Intelligence, operating as affiliates of a variety of ransomware-as-a-service (RaaS) strains including BlackCat/ALPHV, LockBit, and Embargo.

Notably, Microsoft has observed a shift in approach by the ransomware group. Once reliant on buying initial access from brokers, Storm-0501 has more recently found success exploiting hybrid cloud environments with weak passwords and overprivileged accounts. They first crack into the on-premises environment at a target, then pivot to burrow into the cloud, as seen in one campaign that successfully targeted Entra ID credentials.

**Microsoft Entra Connect Credential Crack**

The Microsoft team detailed a recent attack from Storm-0501 threat actors that used compromised credentials to access Microsoft Entra ID (formerly Azure AD). This on-premises Microsoft application is responsible for synching passwords and other sensitive data between objects in Active Directory and Entra ID, which essentially allows a user to sign in to both on-premises and cloud environments using the same credentials.

Once Storm-0501 was able to move laterally into the cloud, it was able to tamper with and exfiltrate data, set up persistent backdoor access, and deploy ransomware, the report warned.

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft reported. "Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear-text credentials and get an access token to Microsoft Graph."

From there, an attacker can freely change the Microsoft Entra ID passwords of any hybrid, synced account.

But that's not the only way these slippery cybercriminals have found to vault from a compromised Entra ID account into the cloud. The second strategy is more complicated, as Microsoft detailed, and relied on breaching a domain admin account with a correlating Entra ID that is designated with global admin permissions. Additionally, the account needs to have multifactor authentication (MFA) disabled for the attackers to be successful.

"It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case," Microsoft said. "However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. Web browsers' passwords store), then the pivot is possible."

Once it was in, Storm-0501 got busy setting up persistent backdoor access for later, working to achieve network control, and ensuring lateral movement to the cloud, Microsoft reported. Once that was done, they exfiltrated the files they wanted and deployed Embargo ransomware across the entire organization.

"In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named 'SysUpdate' that was registered via GPO on the devices in the network," according to the Microsoft report.

The two separate versions of attacks against Microsoft's Entra ID application demonstrate that cybercriminals of opportunity have focused in on hybrid cloud environments, and their big, fat attack surfaces, as easy wins.

**Securing the Hybrid Cloud Against Storm-0501 Attacks**

"As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations," Microsoft's Threat Intel team warned.

Enterprise cybersecurity teams can achieve this by continuing to move toward a zero-trust framework, according to a statement from Patrick Tiquet, vice president, security and architecture, at Keeper Security.

"This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors," Tiquet explained via email. "Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them."

Centralizing endpoint device management (EDM) is also "essential," he said. "Ensuring consistent security patching across all environments — whether cloud-based or on-premises — prevents attackers from exploiting known vulnerabilities."

Advanced monitoring will help teams spot potential threats across hybrid cloud environments before they can become a breach, he added.

Stephen Kowski, field CTO at SlashNext Security echoed many of the same recommendations in an emailed statement.

"This report highlights the critical need for robust security measures across hybrid cloud environments," Kowski said. "Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of Internet-facing systems."

In addition, he suggested shoring up security to protect against initial access attempts.

"Deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks," he added.

Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

Debian Linux Security Advisory 5778-1 - Simone Margaritelli reported several vulnerabilities in cups-filters. Missing validation of IPP attributes returned from an IPP server and multiple bugs in the cups-browsed component can result in the execution of arbitrary commands without authentication when a print job is started.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5778-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
September 29, 2024                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : cups-filters  
CVE ID         : CVE-2024-47076 CVE-2024-47176  
Debian Bug     : 1082820 1082827

Simone Margaritelli reported several vulnerabilities in cups-filters.  
Missing validation of IPP attributes returned from an IPP server and  
multiple bugs in the cups-browsed component can result in the execution  
of arbitrary commands without authentication when a print job is  
started.

For the stable distribution (bookworm), these problems have been fixed in  
version 1.28.17-3+deb12u1.

We recommend that you upgrade your cups-filters packages.

For the detailed security status of cups-filters please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/cups-filters

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmb5b6BfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RqGA//VfGe41guaMVg8lIgwu9s3atSUeoUDZRf83XWQ0S6gvpTCG/Bko1KSgj0  
xmzHlmjwFA2Sly5PhiWcqDp59txdXZymdojTXFebuE5MFqxcSLoIpn/vxZT6f3ky  
BdfK4oTXfJ5Au+KgRF+jC9zGiKgkMJfaCaf2PPFwan/4nXLYw/GIkvnYAecjGgEQ  
KjuzUgkItBVaGVeaInMISwfSISQFrMK80P7MJyX8ET2b71ijjpReAbfsuOQRaizj  
5dnBXxCAE8l8A5VsZFUT1EK4m3Z7BgKKImnLqDdk61Mz+T7eC4R+Kv+rb5lLBMYK  
pPuBmYlH80U7bK4/TaivuWrX6FdHvtKGFUmQd+YO6rWofwrCTn/8+SlO8ZWOrjKx  
r7UDU7+XTnCu4DI87+7PBcqHEyQTG3CrK/RKblsfw0PP0DFtwJMiipuSjzBmNRZx  
nZppuug7Ks5dljAYGWFrBx2I29Qtj6MD4HeI4JKWoB3r3Xi1gX5vvsav4/r++s9Z  
GvINaqBBIytLjATxLYElCxA74MEmVFNPxUEeEq8xFyPGdnYquJ6xZ6wsy6x+O6Z2  
T4ikIV5+FUA4v/c9JFdMj04dJXXaIfTcxBvYA4CoykdHmMGAw1/rCuucL4zoPMUl  
G03rz0k3/QziqZ6EM/Firbd++RrCo86wBiA10Anmhy7+0kS3TCE=  
=fH4o  
-----END PGP SIGNATURE-----

Debian Security Advisory 5778-1

VegaBird Vooki version 5.2.9 suffers from a dll hijacking vulnerability.

    ====================================CVE ID: CVE-2024-45874Author: Iulian FloreaVendor: VegaBirdProduct:  Vooki - Dynamic Web Application & REST API Vulnerability Scanner (DAST Tool)Vulnerability Type: DLL Hijacking========================================================================Summary==================================== A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.====================================Exploitation====================================By placing an arbitrary DLL (Example: dcomp.dll) within the application folder (C:\Program Files\Vooki) and opening the application (Vooki.exe) it can be noted that the DLL is being loaded. This can lead to persistence or in some cases to privilege escalation.

VegaBird Vooki 5.2.9 DLL Hijacking

VegaBird Yaazhini version 2.0.2 suffers from a dll hijacking vulnerability.

    ====================================CVE ID: CVE-2024-45873Author: Iulian FloreaVendor: VegaBirdProduct:  Vooki - Free Android APK & API Vulnerability Scanner(Yaazhini)Vulnerability Type: DLL Hijacking========================================================================Summary==================================== A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.====================================Exploitation====================================By placing an arbitrary DLL (Example: dcomp.dll) within the application folder (C:\Users\<USER>\AppData\Local\Programs\Yaazhini) and opening the application (Yaazhini.exe) it can be noted that the DLL is being loaded. This can lead to persistence or in some cases to privilege escalation.

Tag

#auth