home.social
Sign in Create account

#fulldisclosure — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #fulldisclosure, aggregated by home.social.

  1. Harry Sintonen @[email protected] ·

    Plethore of critical #Linksys MX4200 Wi-Fi router vulnerabilities (that were originally reported to Linksys nearly a year ago!) are still unfixed:

    - [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal seclists.org/fulldisclosure/20
    - [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function seclists.org/fulldisclosure/20
    - [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection seclists.org/fulldisclosure/20
    - [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection seclists.org/fulldisclosure/20
    - [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection seclists.org/fulldisclosure/20
    - [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel
    seclists.org/fulldisclosure/20

    On first read it might appear that many of these vulnerabilities would only be exploitable by accessing the device non-WAN interface(s) from inside the local network. However, due to the SYSS-2025-014 vulnerability the normally "LAN only RCE" vulnerabilities (SYSS-2025-010 and -011) and SQL injection (SYSS-2025-009) can be performed from the WAN interface (read: the internet). The attacker merely needs to make the connection originate from port 5222 (which is trivial to arrange via local bind before connect).

    Update: Users of Linksys MX4200 should upgrade to firmware version 2.0.7.216620 or later. While not all of the security issues are fixed, it at least should stop the attacks via the WAN interface (SYSS-2025-014). support.linksys.com/kb/article

    #linksys #fulldisclosure #vulnerability #infosec #cybersecurity

    #linksys #fulldisclosure #vulnerability #infosec #cybersecurity
  2. Alexandre Dulaunoy @[email protected] ·

    Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.

    You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.

    Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”

    #cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability

    #cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability
  3. Mathias Hasselmann @[email protected] ·

    To everyone using #MintLinux:

    Please run `sudo passwd` and set a password for your root shell right now!

    Failing to do so will keep your system wounderable to a password-less recovery root shell, which's only security measure asking you to press "Enter", nothing else.

    I am doing #FullDisclosure of this massive #SecurityBreach right now, as this huge problem is apparently known for years already, but nobody seems to care at @linuxmint

    forums.linuxmint.com/viewtopic.

    What the...

    #RootShell #Linux

    #mintlinux #fulldisclosure #securitybreach #rootshell #linux
  4. Font Spectrum @[email protected] ·

    Playing around with #Modyfi, that does support #VariableFonts now. This shrink-wrap modifier seems destined to be used with #ElectricBlue.
    #Animating variable fonts has never been so easy!

    app.modyfi.com
    (I’m not payed to say that, Daniël tipped me off and they reached out to hime for some collaboration #fulldisclosure)

    #modyfi #variablefonts #animating #fulldisclosure #electricblue
  5. Michael Weber @[email protected] ·

    Well, it turns out we're not the only folks to find something in F5 this month:

    my.f5.com/manage/s/article/K00

    Sounds like someone else found a post-auth SQL Injection vuln. There's also some kind of cache poisoning issue that someone identified. More details on that at blog.malicious.group/from-akam.

    For the last issue the author was annoyed there was no bug bounty so they told F5 they were just gonna full disclosure. I suspect our bug was just bundled in with this release to get ahead of it.

    Part of me would have loved the idea of accidentally stumbling onto a legit 0-day in the wild, but at this point I'm going to assume that's not the case until I see it proven otherwise.

    #f5 #sqlinjection #cachepoisoning #vr #fulldisclosure

    #f5 #sqlinjection #cachepoisoning #vr #fulldisclosure
  6. PhoenixSerenity @[email protected] ·

    #Government & companies #responsible for #OilSpill in #OrientalMindoro should be completely #transparent about incident's impacts & actions being done to #mitigate the #disaster - #lawyers #environment advocates said.

    In statement released Monday, concerned lawyers called for #transparency & #accountability in the conduct of #investigation into the oil spill & for #FullDisclosure of parties involved in the incident.

    philstar.com/headlines/climate

    #AsianMastodon #environmental #Pollution #Ecocide

    #government #responsible #oilspill #orientalmindoro #transparent #mitigate
  7. スパックマン クリス @[email protected] ·

    So far:

    Launch is actually smaller than the #Kinesis gaming keyboard. BUT, Kinesis wins for ergonomics.

    Setting up the Launch Heavy was not difficult. I got the Kailh Silent Brown; they are quiet and feel great.

    Bonus points to Launch for having 4 extra usb ports built in. That is going to be handy.

    #FullDisclosure - I have a #Pop_OS computer that I used to set up the #LaunchHeavy keyboard. I'm using it on my #Gentoo machine, though. Anyone know if there is an ebuild for the config software?

    #kinesis #fulldisclosure #pop_os #launchheavy #gentoo