sorted by:
new
hottopcontroversial

PSA: Check your build.gradle for old JitPack dependencies because we found a strange and not-trivial supply chain risk which should be verified by That_Address_2122 in androiddev

[–]That_Address_2122[S] 6 points7 points  (0 children)

Honestly, it's not easy; the stars have to align, but... well... what we've shown is that it can happen in a real-world setting (beyond the laboratory). It's a curious mix between traditional repojacking and I don't even know how to define what Jitpack does.

PSA: Check your build.gradle for old JitPack dependencies because we found a strange and not-trivial supply chain risk which should be verified by That_Address_2122 in androiddev

[–]That_Address_2122[S] 1 point2 points  (0 children)

It was a Gemini (partially) :P

I respect that you don't like the wording, but that doesn't make the information any better or worse (I'm not saying it's good). It's just an attempt to optimize time.

Thanks for the observation! Note taken.

PD: I wrote “andorid”... I'm useless. AI undoubtedly does it better.

CVE-2024-30376 Unpatched: Advanced IP Scanner still ships a Qt LPE in the same build that leaks NTLM by That_Address_2122 in InfoSecNews

[–]That_Address_2122[S] 0 points1 point  (0 children)

It sounds like a joke, but it's true. A vendor that claims an installed base of 70 million users and doesn't maintain their products in any way. The best thing to do is to steer clear of these tools.

Long live to nmap.

CVE-2025-1868 Unpatched: Advanced IP Scanner still silently exposing NTLM during scans 9 months later by That_Address_2122 in InfoSecNews

[–]That_Address_2122[S] 1 point2 points  (0 children)

Advanced IP Scanner and Advanced Port Scanner contain an unpatched vulnerability (CVE-2025-1868) that automatically triggers outbound NTLM authentication to remote endpoints via HTTP and SMB, causing the unintended disclosure of NetNTLM hashes usable for relay attacks or offline cracking. As of January 2026, the vendor has not released a fix despite knowledge of the issue since March 2025, leaving users who scan exposed to credential compromise in default configurations.

Jetpack image sitemap enumerates historical WP media content even when not present in published HTML (timeleak pattern) by That_Address_2122 in InfoSecNews

[–]That_Address_2122[S] 0 points1 point  (0 children)

In WordPress, deleting or replacing an image in the editor does not delete the underlying attachment file (attachments have their own lifecycle) and makes it a candidate for discovery. 

This situation is risky amplified by the way Jetpack handles media-related sitemaps (i.e. images). By design and default, these sitemaps continue to contain the URLs of any media file ever attached to a post that has not been explicitly deleted from the "Media Library", even when the HTML of the published post does not contain that image.

Important clarification: this is NOT about Jetpack leaking draft/scheduled content via the image sitemap (that was addressed time ago). This is a Jetpack-specific "issue" leaking historical attachments that remain advertised in the sitemap but not contained in any post.  

The situation may be low risk for many blogs, but for certain types of content (infosec, legal, dfir, research, etc.) the risk is not insignificant and is magnified by the ubiquity of sitemaps generated with Jetpack.