Tagged articles

48 articles

Page 1 of 1

May 15, 2026 · Information Security

How the 'FailRelock' Flag Let Attackers Bypass BitLocker for the Fifth Time

A debug flag named FailRelock in Windows' recovery environment disables BitLocker relocking when set to 1, allowing an attacker with a USB drive and a modified INI file to obtain full access to encrypted drives—a fifth such breach in five years, highlighted with attack steps, technical analysis, and mitigation advice.

BitLockerDebug FlagFailRelock

0 likes · 6 min read

How the 'FailRelock' Flag Let Attackers Bypass BitLocker for the Fifth Time

Black & White Path

May 7, 2026 · Information Security

WhisperPair Vulnerability Enables Remote Hijacking of Millions of Bluetooth Headphones

Security researchers from KU Leuven discovered a critical flaw in Google’s Fast Pair protocol, dubbed WhisperPair, that allows an attacker within 15 seconds and Bluetooth range to silently take over popular headphones such as Sony WH‑1000XM4/5/6, inject audio, eavesdrop, hijack calls, and even track the user’s location.

BluetoothFast PairFirmware update

0 likes · 9 min read

WhisperPair Vulnerability Enables Remote Hijacking of Millions of Bluetooth Headphones

Data Party THU

May 4, 2026 · Artificial Intelligence

Why Sending a Tilde to an LLM Can Erase Your Entire Home Directory

A recent ACL 2026 paper uncovers a “Emoticon Semantic Confusion” vulnerability in large language models, where the tilde symbol (~) intended as a friendly emoticon is interpreted as the shell shortcut for the home directory, causing silent, irreversible deletions across major LLMs with a 38.6 % confusion rate.

ACL 2026LLM safetySecurity Vulnerability

0 likes · 9 min read

Why Sending a Tilde to an LLM Can Erase Your Entire Home Directory

Black & White Path

May 1, 2026 · Information Security

Deep Dive into cPanel/WHM Auth Bypass Vulnerability (CVE‑2026‑41940)

watchTowr Labs discovered a critical authentication bypass in all supported cPanel & WHM versions (CVE‑2026‑41940) that allows remote attackers to inject session files via crafted HTTP requests, gain root access, and has been observed in the wild; the article details the flaw, exploitation chain, impact, and mitigation steps.

Authentication BypassCVE-2026-41940Mitigation

0 likes · 13 min read

Deep Dive into cPanel/WHM Auth Bypass Vulnerability (CVE‑2026‑41940)

Black & White Path

Apr 22, 2026 · Information Security

Prompt Injection Threat: Claude Code, Gemini CLI, and Copilot Agent All Compromised

Security researchers discovered that the three most widely deployed AI agents on GitHub Actions—Anthropic Claude Code, Google Gemini CLI, and GitHub Copilot—are vulnerable to prompt‑injection attacks that let attackers hijack the agents via PR titles, issue comments, or hidden HTML, exfiltrating repository API keys and tokens entirely within GitHub’s own infrastructure.

AI agentsClaudeCopilot

0 likes · 21 min read

Prompt Injection Threat: Claude Code, Gemini CLI, and Copilot Agent All Compromised

Black & White Path

Apr 20, 2026 · Information Security

New Discord Bug Can Delete Accounts via Malicious Invite Links

A newly discovered Discord vulnerability lets attackers generate invite links that, when clicked and the user joins the server, automatically delete the victim’s Discord account, prompting a warning to avoid such links.

DiscordSecurity Vulnerabilityaccount deletion

0 likes · 1 min read

New Discord Bug Can Delete Accounts via Malicious Invite Links

Black & White Path

Apr 15, 2026 · Information Security

CVE-2025-2563: How Pre‑4.1.2 WordPress Registration Plugins Enable Privilege Escalation

CVE-2025-2563 affects WordPress installations prior to version 4.1.2 where user registration and membership plugins, when the membership add‑on is enabled, fail to block role assignment, allowing unauthenticated users to elevate themselves to administrator privileges.

CVE-2025-2563Security VulnerabilityWordPress

0 likes · 1 min read

CVE-2025-2563: How Pre‑4.1.2 WordPress Registration Plugins Enable Privilege Escalation

Black & White Path

Apr 10, 2026 · Information Security

How the M6Plus Bluetooth POS Can Reverse‑Hijack Your PC via CVE‑2026‑4583

A deep security analysis reveals that the M6Plus Bluetooth payment terminal suffers from a protocol flaw—CVE‑2026‑4583—that lacks encryption, replay protection, and uses a weak XOR checksum, enabling attackers to spoof the device, inject malicious packets, and gain admin control of paired computers or phones.

BLEBluetoothCVE-2026-4583

0 likes · 7 min read

How the M6Plus Bluetooth POS Can Reverse‑Hijack Your PC via CVE‑2026‑4583

Black & White Path

Feb 13, 2026 · Information Security

Critical Remote Command Execution Flaw in WeChat Linux 4.1.0.13 Impacts Major Chinese OSes, Skips HarmonyOS

A high‑severity (CVSS 8.8) command‑injection vulnerability in WeChat Linux client 4.1.0.13 allows an attacker to execute arbitrary shell commands by sending a file with a specially crafted name, affecting most Linux distributions and Chinese‑made operating systems while leaving HarmonyOS untouched.

Command InjectionLinuxRemote Code Execution

0 likes · 21 min read

Critical Remote Command Execution Flaw in WeChat Linux 4.1.0.13 Impacts Major Chinese OSes, Skips HarmonyOS

Node.js Tech Stack

Jan 22, 2026 · Information Security

How a Malicious JSON Crashes Node.js Servers via Async Hooks and the New Fix

The recent Node.js security release patches eight vulnerabilities, most notably a stack‑overflow bug triggered by deep recursive promises when async_hooks is enabled, which allows a crafted JSON payload to terminate the process, and the fix modifies TryCatchScope to re‑throw stack‑overflow errors instead of exiting.

CVE-2025-59466Next.jsNode.js

0 likes · 13 min read

How a Malicious JSON Crashes Node.js Servers via Async Hooks and the New Fix

Node.js Tech Stack

Dec 23, 2025 · Information Security

Critical Storybook Flaw May Leak API Keys and Database Passwords

Storybook versions 7.0+ can unintentionally bundle the entire .env file into static builds when using process.env patterns, exposing API keys and database passwords to anyone accessing the published site; the advisory lists affected versions, plugin triggers, and recommends immediate upgrade to patched releases and key rotation.

Env VariablesSecurity VulnerabilityStorybook

0 likes · 6 min read

Critical Storybook Flaw May Leak API Keys and Database Passwords

Code Mala Tang

Dec 12, 2025 · Information Security

Is Your Next.js Project Safe? Inside the Critical React2Shell CVE‑2025‑55182 Vulnerability

The article warns that after an incomplete fix for the React2Shell flaw, two new critical vulnerabilities have emerged in React Server Components—a denial‑of‑service and a source‑code exposure issue—detailing their triggers and urging immediate remediation for all affected projects.

CVE-2025-55182Denial of ServiceNext.js

0 likes · 2 min read

Is Your Next.js Project Safe? Inside the Critical React2Shell CVE‑2025‑55182 Vulnerability

IT Services Circle

Sep 25, 2025 · Information Security

OnePlus Devices Face Critical CVE‑2025‑10184: Silent SMS Access Exploited

RAPID7 has revealed a critical CVE‑2025‑10184 flaw in OnePlus devices running OxygenOS 12‑15 that lets any app silently read users’ SMS and MMS messages without permission, potentially exposing verification codes and private data, after the vendor failed to respond to multiple contact attempts.

AndroidCVE-2025-10184OnePlus

0 likes · 4 min read

OnePlus Devices Face Critical CVE‑2025‑10184: Silent SMS Access Exploited

Open Source Linux

Jul 7, 2025 · Information Security

Critical Linux sudo Vulnerability (CVE‑2025‑32463) Enables Root Privilege Escalation

Borncity reported on July 1 that a critical sudo vulnerability (CVE‑2025‑32463) in Linux, caused by mishandling of /etc/nsswitch.conf and flawed options like –host, –h and –chroot, –R, can allow attackers to execute arbitrary code and elevate privileges to root, affecting sudo versions 1.9.14‑1.9.17.

CVE-2025-32463LinuxSecurity Vulnerability

0 likes · 2 min read

Critical Linux sudo Vulnerability (CVE‑2025‑32463) Enables Root Privilege Escalation

IT Services Circle

May 15, 2025 · Information Security

Critical RDP Vulnerability Allows Persistent Access with Revoked Microsoft/Azure Passwords

A newly disclosed critical vulnerability in Windows Remote Desktop Protocol (RDP) lets attackers bypass cloud authentication and maintain permanent access using revoked Microsoft or Azure account passwords, even after password changes, while Microsoft treats the issue as a design decision rather than a bug.

AuthenticationAzureMicrosoft

0 likes · 5 min read

Critical RDP Vulnerability Allows Persistent Access with Revoked Microsoft/Azure Passwords

IT Services Circle

Nov 19, 2024 · Information Security

QQ and TIM Crash Caused by QQ NT Kernel Vulnerability and Recommended Mitigation Steps

A widespread crash affecting QQ and TIM on Windows, iOS, and Android was caused by a vulnerability in the QQ NT kernel that allowed malicious code in group file previews to trigger the failure, and users are advised to clean chat records or await server-side fixes.

QQQQ NT kernelSecurity Vulnerability

0 likes · 5 min read

QQ and TIM Crash Caused by QQ NT Kernel Vulnerability and Recommended Mitigation Steps

php Courses

Dec 8, 2023 · Information Security

Critical Bluetooth Vulnerability CVE-2023-45866 Affects Android, iOS, Linux, and macOS

A high‑severity Bluetooth vulnerability (CVE‑2023‑45866) discovered by SkySafe researcher Marc Newlin allows attackers to bypass authentication, pair a fake keyboard, and execute code on Android, iOS, Linux, and macOS devices, with Google’s December Android security update already addressing the issue.

AndroidBluetoothCVE-2023-45866

0 likes · 2 min read

Critical Bluetooth Vulnerability CVE-2023-45866 Affects Android, iOS, Linux, and macOS

php Courses

Nov 16, 2023 · Information Security

Security Risks of OpenAI's ChatGPT Code Interpreter Tool

OpenAI's new ChatGPT Code Interpreter, which can generate and run Python code in a sandbox, has been shown to allow malicious actors to exploit spreadsheet handling and command execution features, raising serious information‑security concerns among experts.

AIChatGPTCode Interpreter

0 likes · 2 min read

Security Risks of OpenAI's ChatGPT Code Interpreter Tool

21CTO

Sep 20, 2023 · Information Security

How ncurses Environment Variable Bugs Can Escalate Privileges on macOS and Linux

The recent discovery of CVE‑2023‑29491 reveals that the long‑standing ncurses library contains environment‑variable poisoning flaws that allow attackers to gain elevated privileges on macOS and Linux systems, prompting urgent updates and mitigation guidance.

CVE-2023-29491Security Vulnerabilityenvironment variable poisoning

0 likes · 6 min read

How ncurses Environment Variable Bugs Can Escalate Privileges on macOS and Linux

IT Services Circle

Apr 25, 2023 · Information Security

WeChat Crash via Malformed QR Code: Technical Analysis and Reproduction

Researchers discovered that a specially crafted QR code triggers a memory leak in WeChat’s OCR engine, causing the app to crash on both mobile and desktop platforms; the article explains the underlying bug, provides detailed decoding analysis, and shares Python code to reproduce the malformed QR code.

OpenCVPythonQR code

0 likes · 8 min read

WeChat Crash via Malformed QR Code: Technical Analysis and Reproduction

Laravel Tech Community

Sep 26, 2022 · Information Security

Privilege Escalation Vulnerability in Visual Studio Code < 1.71.1 (CVE-2022-38020)

Visual Studio Code versions prior to 1.71.1 contain a privilege‑escalation flaw where a low‑privileged Windows attacker can place a malicious bash.exe in a special directory, causing the editor to load and execute the file, and the issue is fixed by upgrading to version 1.71.1 or later.

CVE-2022-38020Security VulnerabilityVisual Studio Code

0 likes · 2 min read

Privilege Escalation Vulnerability in Visual Studio Code < 1.71.1 (CVE-2022-38020)

21CTO

Sep 25, 2022 · Information Security

How a 15-Year-Old Python Tarfile Flaw Still Threatens 350k Open-Source Projects

Security firm Trellix warns that the 15-year-old CVE-2007-4559 directory-traversal flaw in Python’s built-in tarfile module remains unpatched, potentially allowing attackers to execute arbitrary code on any system using Python, and affecting an estimated 350,000 open-source projects across diverse domains.

CVE-2007-4559PythonSecurity Vulnerability

0 likes · 5 min read

How a 15-Year-Old Python Tarfile Flaw Still Threatens 350k Open-Source Projects

IT Services Circle

May 31, 2022 · Information Security

HarmonyOS 3.0 Internal Testing Delays, Elderly‑Friendly Rating, Crash Service Feature, and AppGallery Security Vulnerability Overview

The article reviews the postponed internal testing of HarmonyOS 3.0, highlights its top elderly‑friendly rating, introduces a new crash‑reporting service, and details a discovered AppGallery vulnerability that allows free downloading of paid apps, providing a concise security‑focused overview of recent Huawei developments.

AppGalleryCrash ReportingElderly-friendly

0 likes · 5 min read

HarmonyOS 3.0 Internal Testing Delays, Elderly‑Friendly Rating, Crash Service Feature, and AppGallery Security Vulnerability Overview

OPPO Amber Lab

May 20, 2022 · Information Security

How Intent Redirection Lets Malicious Android Apps Gain System Privileges

This article analyzes a high‑risk Android Intent‑redirection vulnerability discovered in a smart‑terminal app, explains how attackers can gain system privileges to launch arbitrary activities, and outlines concrete mitigation steps for developers and security professionals.

AndroidIntent RedirectionMitigation

0 likes · 8 min read

How Intent Redirection Lets Malicious Android Apps Gain System Privileges

Programmer DD

Apr 22, 2022 · Information Security

Java ECDSA Bug Lets Attackers Forge SSL Certificates – What You Must Do

Oracle’s recent security update patches a critical Java vulnerability (CVE‑2022‑21449) that lets attackers forge SSL certificates, bypass two‑factor authentication, and create fraudulent digital signatures by exploiting a flaw in the ECDSA implementation of Java 15‑18, a bug rated as a crypto‑bug of the year.

CVE-2022-21449ECDSAJava

0 likes · 6 min read

Java ECDSA Bug Lets Attackers Forge SSL Certificates – What You Must Do

MaGe Linux Operations

Mar 10, 2022 · Information Security

What Is the ‘Dirty Pipe’ Linux Vulnerability (CVE‑2022‑0847) and How to Fix It?

The newly disclosed CVE‑2022‑0847 “Dirty Pipe” flaw affects Linux kernels 5.8 and later—including many Android 12 devices—allowing unprivileged users to overwrite read‑only files and gain root privileges, with existing PoC/EXP, and researchers urge immediate kernel upgrades.

AndroidCVE-2022-0847Dirty Pipe

0 likes · 3 min read

What Is the ‘Dirty Pipe’ Linux Vulnerability (CVE‑2022‑0847) and How to Fix It?

Programmer DD

Mar 2, 2022 · Information Security

Critical Spring Cloud Gateway Vulnerabilities and How to Mitigate Them

The article outlines two Spring Cloud Gateway CVEs—CVE-2022-22947 (critical code injection) and CVE-2022-22946 (medium HTTP/2 TrustManager issue)—detailing their severity, affected versions, and recommended mitigation steps such as upgrading to 3.1.1+, disabling Actuator, or securing it with Spring Security.

CVECode InjectionHTTP2

0 likes · 4 min read

Critical Spring Cloud Gateway Vulnerabilities and How to Mitigate Them

IT Services Circle

Feb 3, 2022 · Information Security

Linus Torvalds' GitHub README Prank and the Underlying Fake‑Commit Vulnerability

On January 25, Linus Torvalds posted a prank README on the Linux GitHub repository titled “delete linux because it sucks,” which exposed a “fake‑commit” vulnerability allowing arbitrary pages to be served via specially crafted URLs, highlighting ongoing security issues in GitHub’s handling of commits and email‑based impersonation.

GitHubLinus TorvaldsSecurity Vulnerability

0 likes · 4 min read

Linus Torvalds' GitHub README Prank and the Underlying Fake‑Commit Vulnerability

ITPUB

Jan 29, 2022 · Information Security

Linus Torvalds’ GitHub Prank Exposes a Fake‑Commit Vulnerability

On January 25 Linus Torvalds posted a joking README in the Linux GitHub repository that claimed to delete Linux, which turned out to be a demonstration of a “fake‑commit” vulnerability that lets attackers host arbitrary files via special URLs without appearing in the commit history.

GitHubLinus TorvaldsSecurity Vulnerability

0 likes · 5 min read

Linus Torvalds’ GitHub Prank Exposes a Fake‑Commit Vulnerability

Java Architect Essentials

Dec 30, 2021 · Information Security

Log4j2 Vulnerability and Logback Security: Remediation Recommendations

This article outlines the Log4j2 security vulnerability, notes that Logback shares the same flaw, and provides comprehensive remediation advice—including upgrading to Log4j2 2.17, coordinating development and security teams, testing environments, JDK updates, and consulting professional security services.

Patch UpgradeSecurity VulnerabilitySoftware Remediation

0 likes · 5 min read

Log4j2 Vulnerability and Logback Security: Remediation Recommendations

Java High-Performance Architecture

Dec 30, 2021 · Information Security

Understanding Logback CVE‑2021‑42550: Remote Code Execution Risks and Mitigation

This article explains the Logback vulnerability CVE‑2021‑42550 affecting versions before 1.2.7, detailing how malicious configuration files can lead to remote code execution via LDAP, outlines trigger conditions, affected versions, provides a SpringBoot demo for exploitation, and offers practical mitigation advice.

CVE-2021-42550Configuration AttackRemote Code Execution

0 likes · 4 min read

Understanding Logback CVE‑2021‑42550: Remote Code Execution Risks and Mitigation

Architecture Digest

Dec 21, 2021 · Information Security

Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

This article introduces Apache Log4j2, explains the remote code execution vulnerability caused by unsafe JNDI lookups, provides step‑by‑step environment setup, PoC code, exploitation instructions, and outlines official patches and temporary mitigation measures for developers and security engineers.

ExploitJavaMitigation

0 likes · 5 min read

Apache Log4j2 Remote Code Execution Vulnerability Exploitation Guide

Java Backend Technology

Dec 16, 2021 · Information Security

How to Mitigate the Critical Log4j2 Vulnerability: Quick Fixes and Official Patch

This article explains what Apache Log4j2 is, details the remote‑code‑execution vulnerability affecting versions 2.0 to 2.14.1, provides the official patch link, and lists practical temporary mitigation steps for developers and operators.

JavaMitigationSecurity Vulnerability

0 likes · 3 min read

How to Mitigate the Critical Log4j2 Vulnerability: Quick Fixes and Official Patch

21CTO

Dec 13, 2021 · Information Security

Log4Shell Unleashed: How a Single Log4j Flaw Threatens Every Server

The Log4Shell (CVE‑2021‑44228) zero‑day in the widely used Log4j library lets attackers execute remote code without authentication, prompting massive internet‑wide scans, crypto‑mining malware, and threats to critical infrastructure, while open‑source maintainers struggle with limited support despite adoption by giants like Apple and Microsoft.

CVE-2021-44228Log4ShellSecurity Vulnerability

0 likes · 4 min read

Log4Shell Unleashed: How a Single Log4j Flaw Threatens Every Server

MaGe Linux Operations

Dec 10, 2021 · Information Security

How the Log4j2 RCE Flaw Threatened Global Systems and What to Do Now

A critical remote code execution vulnerability in Apache Log4j2, exposed through JNDI injection, has impacted major services worldwide, prompting urgent patches, temporary mitigations, and ongoing updates from the Apache project to protect vulnerable Java applications.

JavaRemote Code ExecutionSecurity Vulnerability

0 likes · 6 min read

How the Log4j2 RCE Flaw Threatened Global Systems and What to Do Now

MaGe Linux Operations

Jun 19, 2021 · Information Security

How a Simple Polkit Bug Lets Any User Gain Root on Linux (CVE‑2021‑3560)

A recently disclosed Linux vulnerability (CVE‑2021‑3560) in the polkit service allows unprivileged local users to obtain root privileges with just a few commands, affecting major distributions such as RHEL, Fedora, Debian, and Ubuntu, and was patched on June 3 2021.

CVE-2021-3560Security Vulnerabilitypolkit

0 likes · 4 min read

How a Simple Polkit Bug Lets Any User Gain Root on Linux (CVE‑2021‑3560)

OPPO Amber Lab

Apr 30, 2021 · Information Security

How Intent Redirection Bypasses Android Exported Component Restrictions

This article explains the difference between exported and non‑exported Android components, demonstrates how malicious apps can embed an Intent inside another exported component to reach private components, and provides practical detection and mitigation techniques to protect against Intent redirection vulnerabilities.

AndroidContent ProviderExported Component

0 likes · 12 min read

How Intent Redirection Bypasses Android Exported Component Restrictions

21CTO

Mar 14, 2021 · Information Security

How Apple’s Find My Can Be Exploited: Inside the Bluetooth Location Vulnerabilities

Researchers from Germany’s Darmstadt University uncovered two design flaws in Apple’s Find My Bluetooth location system that enable unauthorized access to a user’s recent location history, explain the offline‑finding mechanism, and detail how macOS vulnerabilities can be exploited to de‑anonymize devices.

AppleBluetoothFind My

0 likes · 5 min read

How Apple’s Find My Can Be Exploited: Inside the Bluetooth Location Vulnerabilities

Architecture Digest

Jan 18, 2021 · Information Security

Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

The article analyzes a bypass flaw in Nacos 1.4.1 where the serverIdentity key‑value authentication can be evaded by crafting URLs with a trailing slash, allowing attackers to list, create, and log in as users despite the intended security checks.

Authentication BypassExploitNacos

0 likes · 8 min read

Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

Programmer DD

Jan 16, 2021 · Information Security

Bypassing Nacos 1.4.1 User-Agent Authentication to Add Arbitrary Users

The article explains how Nacos 1.4.1's serverIdentity key‑value authentication can be bypassed by manipulating the request path, allowing attackers to call any HTTP interface, add new users, and gain full console access, and provides reproduction steps and a fix recommendation.

Authentication BypassCVEJava

0 likes · 10 min read

Bypassing Nacos 1.4.1 User-Agent Authentication to Add Arbitrary Users

Java Architecture Diary

Jan 15, 2021 · Information Security

How to Exploit and Patch the Nacos Authentication Bypass Vulnerability (v1.2‑v1.4)

This article explains the Nacos authentication bypass vulnerability affecting versions 1.2‑1.4, how attackers can exploit whitelist headers to gain unauthorized access, the widespread exposure revealed by Zoomeye scans, and the official remediation steps including upgrading to v1.4.1 and disabling the UA whitelist.

Authentication BypassNacosSecurity Vulnerability

0 likes · 3 min read

How to Exploit and Patch the Nacos Authentication Bypass Vulnerability (v1.2‑v1.4)

ITPUB

Nov 17, 2020 · Information Security

Exploiting and Patching Ubuntu’s accounts‑daemon & GDM3 Privilege‑Escalation Flaw

This article explains how a critical Ubuntu vulnerability discovered by security researcher Kevin Backhouse lets a standard user create a sudo‑enabled account without a password, details the step‑by‑step exploitation process, and outlines the official patches that mitigate the issue across affected LTS releases.

Security Vulnerabilityaccounts-daemon

0 likes · 7 min read

Exploiting and Patching Ubuntu’s accounts‑daemon & GDM3 Privilege‑Escalation Flaw

Programmer DD

Jun 17, 2020 · Information Security

How One Line of Code Opened a Remote Code Execution Hole in SpringBoot

A SpringBoot project’s custom validator introduced a severe remote code execution vulnerability when a single line of code interpolated user input, illustrating the importance of rigorous input validation, internationalized error handling, and security scanning before deployment.

EL InjectionException HandlingSecurity Vulnerability

0 likes · 13 min read

How One Line of Code Opened a Remote Code Execution Hole in SpringBoot

FunTester

Jun 1, 2020 · Information Security

Fastjson <=1.2.68 Remote Code Execution Vulnerability and Mitigation Recommendations

Tencent Cloud Security reports that Fastjson versions up to 1.2.68 contain a high‑risk remote code execution vulnerability exploitable via the autotype feature, allowing attackers to gain server system privileges, and recommends immediate updates, enabling SafeMode, or replacing the library with alternatives such as Jackson‑databind or Gson.

JavaRemote Code ExecutionSafeMode

0 likes · 3 min read

Fastjson <=1.2.68 Remote Code Execution Vulnerability and Mitigation Recommendations

360 Quality & Efficiency

Jan 22, 2018 · Information Security

High‑Risk Android WebView Cross‑Origin Access Vulnerability – Description, Impact, Detection, and Mitigation

A security bulletin released on January 9 2018 details a critical Android WebView cross‑origin vulnerability that can expose user privacy data and credentials, outlines its widespread impact on many apps, and provides detection tools and concrete remediation steps for developers.

AndroidCross-OriginMitigation

0 likes · 4 min read

High‑Risk Android WebView Cross‑Origin Access Vulnerability – Description, Impact, Detection, and Mitigation

21CTO

Feb 27, 2016 · Information Security

How Attackers Exploit Sina Weibo OAuth to Hijack User Accounts

This article examines common security pitfalls when integrating Sina Weibo OAuth for user login and account binding, illustrating CSRF vulnerabilities and code‑theft attacks through real‑world examples on Bilibili, NetEase Cloud Music, and Zhihu, and offers mitigation recommendations.

CSRFOAuth2Security Vulnerability

0 likes · 10 min read

How Attackers Exploit Sina Weibo OAuth to Hijack User Accounts

ITPUB

Nov 12, 2015 · Information Security

How Unauthenticated Redis Access Lets Attackers Hijack Servers – Exploit Steps and Mitigation

The article explains that Redis’s default public binding and lack of authentication allow attackers to read data, execute code, and write their SSH public key into /root/.ssh/authorized_keys, providing a complete guide to exploitation, statistical impact, PoC code, and practical mitigation measures.

ExploitMitigationSecurity Vulnerability

0 likes · 10 min read

How Unauthenticated Redis Access Lets Attackers Hijack Servers – Exploit Steps and Mitigation

MaGe Linux Operations

Jul 24, 2015 · Information Security

Bypassing OpenSSH’s 6‑Try Limit: How Attackers Can Get 10,000 Password Attempts

OpenSSH’s default six‑attempt password limit can be circumvented using the KingCope tool, allowing attackers to script up to ten thousand login attempts, which dramatically raises the risk of successful brute‑force attacks despite existing mitigation measures.

KingCopeOpenSSHSecurity Vulnerability

0 likes · 4 min read

Bypassing OpenSSH’s 6‑Try Limit: How Attackers Can Get 10,000 Password Attempts