近日,奇安信CERT监测到Rust官方发布新版本修复Rust 命令注入漏洞(CVE-2024-24576)。在Windows上使用Command API调用批处理文件(使用bat和cmd扩展名)时,Rust标准库没有正确地对参数进行转义。攻击者如果能够控制传递给生成的进程的参数,就可以通过绕过转义来执行任意的Shell命令。目前该PoC已在互联网上公开,鉴于此漏洞影响...
PoC in GitHub 2024 CVE-2024-0015 (2024-02-16) In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not...