Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-hjq6-52gw-2g7p: yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)

### Summary The [patch that addressed CVE-2023-40581](https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e) attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version [2021.04.11](https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11). ```cmd > yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q" [youtube] Extracting URL: https://youtu.be/42xO6rVqf2E [youtube] 42xO6rVqf2E: Downloading webpage [youtube] 42xO6rVqf2E: Downloading ios player API JSON [youtube] 42xO6rVqf2E: Downloading android player API JSON [youtube] 42xO6rVqf2E: Downloading m3u8 information [info] 42xO6rVqf2E: Downloading 1 format(s): 18 [download] Destination: %CMDCMDLINE:~-1%&echo pwned&calc.exe [4...

ghsa
Open in Source
#vulnerability#web#ios#android#windows#js#git#rce#perl
Vulnerability in some TP-Link routers could lead to factory reset

There are also two out-of-bounds write vulnerabilities in the AMD Radeon user mode driver for DirectX 11.

Match Systems report on consequences of CBDC implementation, led by CEO Andrei Kutin

By Cyber Newswire Match Systems, a leading authority in crypto crimes investigations and crypto AML solutions provider, has published a comprehensive… This is a post from HackRead.com Read the original post: Match Systems report on consequences of CBDC implementation, led by CEO Andrei Kutin

Match Systems publishes report on the consequences of CBDC implementation, led by CEO Andrei Kutin

By cybernewswire Dubai, UAE, April 10th, 2024, CyberNewsWire Match Systems, a leading authority in crypto crimes investigations and crypto AML… This is a post from HackRead.com Read the original post: Match Systems publishes report on the consequences of CBDC implementation, led by CEO Andrei Kutin

Attack on Consumer Electronics Manufacturer boAt Leaks Data on 7.5M Customers

In a cyberattack more reminiscent of the 2010s, a seemingly lone hacker fleeced a major corporation for millions of open customer records.

CHAOS RAT 5.0.1 Remote Command Execution

CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT server.

Fuxnet: Disabling Russia's Industrial Sensor And Monitoring Infrastructure

This report seems to detail an operation to disable Russia's industrial sensor and monitoring infrastructure at www.moscollector.ru.

Twitter’s Clumsy Pivot to X.com Is a Gift to Phishers

On April 9, Twitter/X began automatically modifying links that mention "twitter.com" to redirect to "x.com" instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links -- such as fedetwitter[.]com, which is currently rendered as fedex.com in tweets.

'eXotic Visit' Spyware Campaign Targets Android Users in India and Pakistan

An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store. Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It's tracking the group behind the operation under the

Introducing the Digital Footprint Portal

Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.