Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
flipboard.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Welcome to Flipboard on Mastodon. A place for our community of curators and enthusiasts to inform and inspire each other. If you'd like to join please request an invitation via the sign-up page.

Administered by:

Server stats:

1.2K
active users

flipboard.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#codeexecution

0 posts0 participants0 posts today
Public
N-gated Hacker News

🎉 Wow, an "Inline Evaluation Adventure" where you can execute code by using a magical combination of keys that sounds like a secret cheat code from a '90s video game. 🤹‍♀️ No run button? Bravo! Because who needs intuitive interfaces in 2025, right? 😂
rigsomelight.com/2025/03/12/in #InlineEvaluation #Adventure #SecretCheatCode #90sNostalgia #CodeExecution #IntuitiveInterfaces #HackerNews #ngated

rigsomelight.comInline Evaluation Adventure
Public
Billy Anderson

Critical Kibana Flaws (CVE-2024-37288, CVE-2024-37285) Expose Systems to Arbitrary Code Execution

Elastic has issued a critical security advisory about two severe vulnerabilities in Kibana, its popular data visualization and analytics platform.

CVE-2024-37288: YAML Deserialization Flaw in Amazon Bedrock Connector.
Rated as critical with a CVSS score of 9.9, this flaw can lead to remote code execution through crafted malicious YAML payloads. Users who have configured an Amazon Bedrock connector in Elastic Security should update immediately.

CVE-2024-37285: Widespread YAML Deserialization Vulnerability.
With a CVSS score of 9.1, this vulnerability affects a broader range of Kibana users. It allows attackers to execute arbitrary code if they have specific Elasticsearch and Kibana privileges.

What’s the solution?
Elastic advises all users to upgrade to Kibana version 8.15.1 to address these vulnerabilities. For those unable to upgrade immediately, temporarily disable the integration assistant using the following configuration:

xpack.integration_assistant.enabled: false

Act now to protect your systems. Vulnerabilities like these can lead to complete system compromise if left unaddressed.

#CyberSecurity#Kibana#Elastic
Continued thread
Public
Baiyssy

补充一句,#GoogleAIStudio 还增加了 #CodeExecution 功能。

> #Gemini API 代码执行功能使模型能够生成并运行 #Python 代码,并根据结果迭代学习,直到获得最终输出。您可以使用此代码执行功能来构建能从基于代码的推理功能中受益并能生成文本输出的应用。例如,您可以在解方程式或处理文本的应用中使用代码执行。
> AI Studio 和 Gemini API 中都支持代码执行功能。在 AI Studio 中,您可以在高级设置下启用代码执行功能。Gemini API 提供代码执行功能,类似于函数调用。您将代码执行添加为工具后,模型就会决定何时使用该工具。

Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

Okta Verify for Windows Auto-update Vulnerability Alert

Date: 2024-03-26
CVE: CVE-2024-0980
Sources: Trust.okta.com Advisory

Issue Summary

Okta Verify's auto-update service for Windows was found vulnerable due to two flaws. These vulnerabilities, when exploited together, could lead to arbitrary code execution on affected systems.

Technical Key Findings

The flaws pertain to improper limitation of a pathname to a restricted directory ("Path Traversal") and uncontrolled search path element ("DLL Hijacking"). Attackers could exploit these vulnerabilities to execute arbitrary code.

Vulnerable Products

  • Okta Verify for Windows versions prior to 4.10.7.
  • Note: Okta Verify on platforms other than Windows is unaffected.

Impact Assessment

If exploited, attackers could execute arbitrary code in the context of the application, potentially taking control of affected systems.

Patches or Workaround

Upgrade to Okta Verify for Windows version 4.10.7 or later to mitigate this vulnerability.

Tags

#CVE-2024-0980, #OktaVerify, #Windows, #SecurityPatch, #CodeExecution

For the most current information and updates on this issue, please refer to the official Okta security advisories page.

Okta, Inc.Okta Verify for Windows Auto-update Arbitrary Code Execution CVE-2024-0980 | OktaBy Okta, Inc.
Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"🚨 Autodesk AutoCAD Vulnerabilities Exposed 🚨"

Autodesk's security advisory reveals critical vulnerabilities within AutoCAD products, impacting various versions with potential for arbitrary code execution. Highlighting CVEs such as CVE-2024-0446 through CVE-2024-23137, these flaws can be exploited through maliciously crafted files, posing significant risks to confidentiality, integrity, and availability. Mitigation includes avoiding the import feature and only importing files from trusted sources. Props to Mat Powell from Trend Micro Zero Day Initiative for uncovering these vulnerabilities. Stay vigilant and update accordingly! 🛡️💻

Tags: #CyberSecurity #Vulnerability #AutoCAD #CVE #Autodesk #CodeExecution #InfoSec #PatchManagement

AUTODESK TRUST CENTER Security advisory

Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"⚠️ FFmpeg Vulnerability Alert: CVE-2024-22860 🚨"

A critical vulnerability in FFmpeg before n6.1, identified as CVE-2024-22860, has been disclosed. This integer overflow issue allows remote attackers to execute arbitrary code through the jpegxl_anim_read_packet component in the JPEG XL Animation decoder. With a CVSS v3 score of 9.8, it's marked as a severe risk. Notably, this vulnerability has been addressed in FFmpeg version n6.1.

🔗 For more details on this vulnerability, check Tenable's overview: CVE-2024-22860 - Tenable and Debian's security tracker: CVE-2024-22860 - Debian Security Tracker.

Tags: #CyberSecurity #Vulnerability #FFmpeg #CVE2024_22860 #InfoSec #CodeExecution #PatchNow 🛡️💻🔒

www.tenable.comCVE-2024-22860Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder.
Public *
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"🚨 Critical Zero-Day Patch Released by Apple - CVE-2024-23222 🚨"

Apple has urgently released updates for a range of its devices, including iPhones, Macs, and Apple TVs, to patch a critical zero-day flaw (CVE-2024-23222). This type confusion vulnerability, which can lead to arbitrary code execution when processing specially crafted web content, has been reportedly exploited in the wild. The patch addresses this issue with enhanced checks.

This zero-day bug is the first Apple has fixed in 2024, following their action on 20 zero-days last year. Updates are available for iOS 17.3 & iPadOS 17.3 (iPhone XS and later, various iPad models), macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, tvOS 17.3, and Safari 17.3.

Tags: #AppleSecurity #ZeroDay #CVE202423222 #CyberSecurity #PatchNow #TypeConfusion #CodeExecution #UpdateAlert 🍏💻🔒

Mitre CVE-2024-23222

Source: TheHackerNews

cve.mitre.orgCVE - CVE-2024-23222 The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Public
🛡 H3lium@infosec.exchange/:~# :blinking_cursor:

"Google's Silent Amendment: A Tale of a Critical WebP Vulnerability 🕷️"

Google has discreetly updated a prior disclosure concerning a critical code-execution vulnerability, initially underplayed as affecting only Chrome, but now revealed to impact thousands of apps and software frameworks. The culprit is the libwebp code library, created by Google for rendering WebP images, which is embedded in numerous apps, operating systems, and code libraries, notably the Electron framework. The vulnerability, initially tagged as CVE-2023-4863, was reclassified as CVE-2023-5129 with a severity rating escalated to a perfect 10. The flaw could allow attackers to execute malicious code merely by tricking users into viewing a corrupted WebP image. It's a stark reminder to ensure your apps, especially those running on Electron versions v22.3.24, v24.8.3, or v25.8.1, are updated to dodge this bullet. 🛡️

Source: Ars Technica by Dan Goodin. Follow him on Twitter.

Tags: #Google #WebPVulnerability #CVE20234863 #CVE20235129 #CyberSecurity #CodeExecution #ElectronFramework #SoftwareVulnerability #InfoSec

Ars Technica · Google quietly corrects previously submitted disclosure for critical webp 0-dayPrevious CVE submission failed to mention that thousands of apps were affected.
ExploreLive feeds
About