home.social

#nocve — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #nocve, aggregated by home.social.

  1. Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC)

    https://seclists.org/oss-sec/2026/q1/300

    #NoCVE yet?
  2. [oss-security] Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v /by @hanno

    https://www.openwall.com/lists/oss-security/2025/06/02/1

    #NoCVE
  3. [RSS] Finding an Unauthenticated RCE nday in Zendto, patched quietly in 2021. Lots of vulnerable instances exposed to the internet.

    https://projectblack.io/blog/zendto-nday-vulnerabilities/

    #NoCVE
  4. [RSS] Pwn everything Bounce everywhere all at once (part 2)

    http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part-2.html

    New pre-auth RCE exploit chains for old SOPlanning bugs #NoCVE
  5. SECURITY ADVISORY - PUBLIC DISCLOSURE
    2024-11-14

    Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

    These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

    The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

    Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

    Vendor website: minut.com

    Research and reporting by Troed Sångberg, Amlisoft AB

    #NoCVE #CyberSecurity #IoT #Minut

  6. SECURITY ADVISORY - PUBLIC DISCLOSURE
    2024-11-14

    Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

    These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

    The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

    Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

    Vendor website: minut.com

    Research and reporting by Troed Sångberg, Amlisoft AB

    #NoCVE #CyberSecurity #IoT #Minut

  7. SECURITY ADVISORY - PUBLIC DISCLOSURE
    2024-11-14

    Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

    These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

    The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

    Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

    Vendor website: minut.com

    Research and reporting by Troed Sångberg, Amlisoft AB

    #NoCVE #CyberSecurity #IoT #Minut

  8. SECURITY ADVISORY - PUBLIC DISCLOSURE
    2024-11-14

    Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

    These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

    The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

    Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

    Vendor website: minut.com

    Research and reporting by Troed Sångberg, Amlisoft AB

    #NoCVE #CyberSecurity #IoT #Minut

  9. SECURITY ADVISORY - PUBLIC DISCLOSURE
    2024-11-14

    Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

    These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

    The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

    Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

    Vendor website: minut.com

    Research and reporting by Troed Sångberg, Amlisoft AB

    #NoCVE #CyberSecurity #IoT #Minut

  10. I published my analysis of the Series 9000 Brainalyzer exploit by Rick Sanchez:

    https://video.infosec.exchange/w/jtR1V9N5ghHES5oayeBrrd

    Did I miss anything?

    #NoCVE
  11. mpg123 buffer overflow in versions before 1.32.8

    https://seclists.org/oss-sec/2024/q4/45

    #NoCVE yet - Edit: Got assigned CVE-2024-10573