The article walks through setting up a Windows 2012 IIS environment, reverse‑engineering the product’s 3DES license check, analyzing web.config permissions, and uncovering multiple vulnerabilities—including SSRF, several SQL injections, and arbitrary file‑upload flaws—culminating in a full bypass of the EIS system’s authentication.
The article walks through the discovery of an arbitrary ZIP‑file download vulnerability in a large OA front‑end, detailing how the attacker traced the vulnerable Spring MVC controller, built a PoC using a controllable cookie, achieved directory‑traversal reads, demonstrated a DOS extension, and finally suggested input‑filter mitigations.
The article examines the critical CVE-2024-6387 OpenSSH 0‑day remote code execution flaw, explains its technical details, and outlines JD Cloud's comprehensive emergency response, attack‑surface management, precise vulnerability intelligence, and managed security services to help enterprises mitigate such threats.
A critical 0day vulnerability in the WeChat Windows desktop client allows attackers to execute shellcode via a crafted web link without leaving files or new processes, prompting users to update to version 3.2.1.143 or apply temporary safeguards such as using the system browser and avoiding unknown links.
This article expands on the author's BlueHat Shanghai 2019 presentation, summarizing Office‑related 0‑day and 1‑day vulnerabilities discovered between 2010 and 2018, categorizing them by component and type, and providing extensive references, analysis notes, and exploitation guidance for security researchers.
A JavaScript snippet shared on Twitter claims to crash Firefox, Chrome, and Safari browsers and even force an iPhone to restart, prompting security researchers to examine its behavior, potential as a 0‑day exploit, and possible misuse in attacks.
A JavaScript snippet shared on Twitter claims to crash Firefox, Chrome, and Safari browsers and even force an iPhone to restart, prompting security researchers to examine the code, observed effects on desktop and mobile, and discuss whether it is a bug or a true 0‑day exploit.
