每日攻防资讯简报[Jan.19th]

1.一个影响 Zoom 客户端和 MMR 服务器的缓冲区溢出, 一个是仅对 MMR 服务器上的攻击者有用的信息泄漏

https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html

2.WordPress SQL 注入漏洞, 可能允许攻击者暴露存储在连接数据库中的数据(CVE-2021-21661)

https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection

3.在 compasX 中发现的 AES 密钥生成漏洞

https://x41-dsec.de/lab/blog/telenot-complex-insecure-keygen/

4.Windows HTTP 协议栈远程代码执行漏洞 CVE-2022-21907

https://github.com/antx-code/CVE-2022-21907

5.(VMware)通过 post auth SSRF 窃取管理 JWT (CVE-2021-22056)

https://blog.assetnote.io/2022/01/17/workspace-one-access-ssrf/

6.Ajax.NET Professional 中的 RCE(CVE-2021-23758)

https://mogwailabs.de/en/blog/2022/01/vulnerability-spotlight-rce-in-ajax.net-professional/

7.NUUO NVRmini2（2022 版）中以 root 身份执行未经身份验证的远程代码执行

https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd