LMDeploy Vulnerability Exploited Within 13 Hours of Disclosure

A critical vulnerability in LMDeploy's vision-language module was exploited in the wild just 13 hours after its disclosure, allowing attackers to access sensitive resources and internal networks. This server-side request forgery flaw, tracked as CVE-2026-33626, affects all versions of the toolkit prior to 0.12.0.

https://osintsights.com/lmdeploy-vulnerability-exploited-within-13-hours-of-disclosure?utm_source=mastodon&utm_medium=social

#ServersideRequestForgery #Ssrf #Lmdeploy #Cve202633626 #VulnerabilityExploitation

Lorenzo Gallegos presents 'How to Write Secure Code' July 25th at Nebraska.Code().

https://nebraskacode.amegala.com/

#securecode #OWASP #XSS #sqlinjection #crosssitescripting #lincoln #CrossSiteRequestForgery #serversiderequestforgery #Nebraska #PrivilegeEscalation #supplychain #webdevelopment #DeveloperConference #coding #TechSecurity #TechConference

🟠 Attacking browser extensions

by Kevin Stubbings @kwstubbs at @github

Learn about browser extension security and secure your extensions with the help of CodeQL.

#vulnerability #extension #script #CrosssiteScripting #ServerSideRequestForgery #xtensionAPIinjection #webdev

https://github.blog/security/vulnerability-research/attacking-browser-extensions/

A recent security vulnerability, identified as CVE-2024-6922, affects Automation Anywhere's Automation 360, a popular Robotic Process Automation suite. This vulnerability allows for Server-Side Request Forgery (SSRF), enabling an attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) to trigger arbitrary web requests from the server.

The discovery of this issue was made by Ryan Emmons, a Lead Security Researcher at Rapid7, who worked closely with Automation Anywhere to address and mitigate the vulnerability. The timeline of events began with Rapid7 contacting Automation Anywhere on June 17, 2024, and culminated in the public disclosure of the vulnerability on July 26, 2024. It's noteworthy that Automation Anywhere had already addressed this issue in version 33 of their product, released on June 17, 2024, prior to receiving the report from Rapid7.

Customers using InsightVM and Nexpose products from Rapid7 can assess their exposure to CVE-2024-6922 through a vulnerability check included in their content release on July 26, 2024. To protect against this vulnerability, Automation Anywhere advises upgrading to Automation 360 v.33, where the issue has been resolved according to their release notes.

https://www.rapid7.com/blog/post/2024/07/26/cve-2024-6922-automation-anywhere-automation-360-server-side-request-forgery/

#cybersecurity #automation360 #vulnerability #automationanywhere #ssrf #serversiderequestforgery #devsecops #networksecurity #https #http #infosec #rapid7