Tencent Security Xuanwu Lab Daily News

• (CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection:
https://starlabs.sg/advisories/23/23-3368/

   ・ Chamilo开源学习管理系统存在命令注入漏洞，攻击者可利用该漏洞远程执行代码。 – SecTodayBot

• Analysis of CVE-2023-46214 + PoC:
https://blog.hrncirik.net/cve-2023-46214-analysis

   ・ Splunk Enterprise中的远程代码执行（RCE）漏洞。Splunk Enterprise版本低于9.0.7和9.1.2未对用户提供的可扩展样式表语言转换（XSLT）进行安全处理。 – SecTodayBot

• Python Cryptography advisory: CVE-2023-49083 NULL-dereference when loading PKCS7 certificates:
https://seclists.org/oss-sec/2023/q4/248

   ・ Python Cryptography存在CVE-2023-49083漏洞，加载PKCS7证书时可能导致NULL指针解引用和段错误。 – SecTodayBot

• GitHub - 0xdea/semgrep-rules: A collection of my Semgrep rules to facilitate vulnerability research.:
https://github.com/0xdea/semgrep-rules

   ・ 这篇文章介绍了Semgrep规则集，用于简化漏洞研究，包括C/C++缓冲区溢出、整数溢出、格式化字符串、内存管理、命令注入、竞争条件和权限管理等多个方面的规则。 – SecTodayBot

• GitHub - floranguyen0/tranchess-vulnerability-disclosure:
https://github.com/floranguyen0/tranchess-vulnerability-disclosure

   ・ Tranchess协议的ShareStaking合约存在一个潜在的漏洞，可能导致令人惊讶的损失。开发者和安全研究人员需要注意对任何gas优化技术的关注，以避免潜在的危险行为。 – SecTodayBot

• A Detailed Look at Pwn2Own Automotive EV Charger Hardware:
https://www.thezdi.com/blog/2023/11/28/a-detailed-look-at-pwn2own-automotive-ev-charger-hardware

   ・ Pwn2Own汽车EV充电器硬件详细解析：该文章提供了即将举行的Pwn2Own汽车比赛中目标EV充电器的详细图像，以帮助参赛者了解比赛中所使用的EV充电器的组件硬件。 – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab