The Exploit Podcast: CVEs and Security News

Camera Hijack on Unifi Protect, Dylib Hijacking in Davinci Resolve, Non-deterministic Deserialization in IBC-go, Authentication Bypass in CyberArk, RCE in Uniguest Tripleplay and more

Week ending 6th March 2025. Get ready for a deep dive into a newly released batch of critical security advisories. We're breaking down dozens of high-severity vulnerabilities affecting everything from WordPress themes and plugins to enterprise solutions like Vasion Print and UniFi Protect. Learn about the attack vectors, including remote code execution, authentication bypasses, and the ever-present SQL injection, and understand the potential impact on your data and infrastructure. This episode is your guide to understanding and mitigating these urgent threats.

JWT Validation Failure In Jupyter Hub, Arbitrary File Upload and SQL Injection in Mattermost, Path Traversal File Deletion in Mautic, Desrialization Of Untrusted Data in MetaSlider and more

Week ending 27th Feb, 2025. Key vulnerabilities to be discussed include: * JWT Validation Failure in JupyterHub * Arbitrary File Upload and SQL Injection in Mattermost, where versions of Mattermost are failing to properly validate board blocks when importing boards and failing to use prepared statements in SQL queries * Path Traversal File Deletion in Mautic, where improper handling of path components allows authenticated users to manipulate file deletion processes * Deserialization of Untrusted Data in MetaSlider, potentially leading to object injection The podcast will also cover unrestricted file uploads, authentication bypasses, and SQL injection flaws in systems like GreaterWMS, Everest Forms, XOne Web Monitor and Tenda routers.

Integer Overflow in Mercedes-Benz, RCE via Deserialization in Apache Ignite, Improper Authentication in Orca HCM, Plaintext Password in Netgear C7800 and more

Week ending 20th Feb. The Exploit Podcast dives deep into the week's most critical vulnerabilities affecting software, hardware, and web applications. Host and Principal Security Architect dissect real-world security challenges, from a sensitive information leak in a popular WordPress plugin (Oliver POS) to SAML signature bypasses in the CIE authentication library, command injection in Widget Options, and authentication flaws in TP-Link and D-Link routers. This episode highlights the importance of input validation, robust authentication, and staying vigilant in the face of ever-evolving threats. Perfect for engineers and security researchers looking to stay informed.

Remote code execution via Prompt Injection in PandasAI, Unverified password change vulnerability in Janto, Private Key Extraction in Elliptic (JS) and Regex Denial of Service in Koa and more

Week ending 13th Feb 2025. Get ready for another intense week in cybersecurity! This week, we're diving deep into a fresh batch of critical vulnerabilities hitting everything from WordPress plugins to enterprise software. We'll uncover flaws that could let attackers remotely hijack your systems, steal your data, or even take over entire networks. From privilege escalation in popular WordPress plugins that leave sites wide open to unauthenticated attackers, to a critical vulnerability in Elliptic that allows for private key extraction, we're breaking down the threats and what you can do to protect yourself. Don't miss this crucial update on the vulnerabilities that could be impacting you right now.

Django Unicorn Class Pollution, GeoTools XPath Manipulation, Eladmin CSV Injection, Zimbra SQL Injection, Woocomerce Taxi Booking Deserialization and more

Week 5 ending 6th Feb, 2025. In this episode, we dive deep into the latest security advisories, uncovering a surge of critical vulnerabilities affecting a wide range of software. From command injection flaws in EasyVirt DCScope and privilege escalation vulnerabilities due to weak encryption, to remote code execution exploits in Advantive VeraCore and ClassCMS, we break down the threats and their potential impact. We also discuss a concerning class pollution vulnerability in Django-Unicorn that can lead to XSS, DoS, and authentication bypass. Plus, we'll cover SQL injection flaws in Moss and Zimbra Collaboration, file upload vulnerabilities in ChestnutCMS, and memory corruption issues. Stay informed and learn how to protect your systems from these emerging threats!