Posts

ICYMI (In Case You Missed It) Let’s be real—whitebox pentesting involves a lot of tedious, repetitive steps. From reading and wrapping your head around the context, digging through the logic, hunting for bugs, exploiting them, to the absolute drag of writing reports… it’s a grind. But guess what? AI can now totally carry us through almost all of these phases! In this post, I’m going to flex Antigravity along with its full arsenal of skills and rules to pull off a buttery smooth whitebox pentest. ...

Knowledge Base for Documentation, FAQs with AI Assistance plugin - Unauthenticated PHP Object Injection ✋ Table of content About Knowledge Base for Documentation, FAQs with AI Assistance plugin The security vulnerability The patch Conclusion This blog post is about the Knowledge Base for Documentation, FAQs with AI Assistance plugin vulnerability. If you’re using this plugin, please update the plugin to at least version 11.31.0. About Knowledge Base for Documentation, FAQs with AI Assistance plugin The plugin Knowledge Base for Documentation, FAQs with AI Assistance (versions 11.30.2 and below), which is estimated to have over 10,000 active installations. ...

Introduction Command Injection in nodemailer Someday, i read some product code and found out that application using nodemailer to send email. After spending some second to audit package-lock file, i saw it had this CVE. But i read that details and their POC, i still not understand what they want to deliver. Found their commit to fix their bug and already know where the bug from https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54 It comes from send function, with arbitrary command flag injection in sendmail transport. ...