With Autumn well underway and the days getting shorter, the team here at ProjectDiscovery are still hard at work with new developments on our tools, as well as some exciting next steps for the community.
In this September edition of the PD Community Newsletter, we’ll dip into the latest updates and releases you need to be aware of, as well as news from in and around the cybersecurity arena that you might’ve missed.
And, if you’re a regular contributor, be sure to check out the Highlights section this month for some details on how you can become part of one of our newest programs!
Don’t hesitate to keep sharing and celebrating your community contributions by getting in touch with us - as always, our innovations are powered by you, and we couldn’t be more grateful.
If you’re not a part of our GitHub and Discord yet, it’s never too late to join in on the discussions. We’ll see you there!
Release notes
Nuclei v3.3.2 and v3.3.3
Two nuclei updates were released this month, full of new features, maintenance and fixed security issues.
V3.3.2 added the ActionWaitDialog
type in headless protocol to simplify XSS detection, as well as issues being fixed around upgrading the GitHub API version and migrating issue templates to issue forms. A security issue was also addressed in the template signer
package.
Adding even more functionality to our tools, v3.3.3 introduces Linear issue tracker support, and bug fixes for WithProxy
errors and missing template_url
for signed templates. On the maintenance side, support was added for fs.FS
in template parsing.
interactsh v1.2.1
A minor update was made to interactsh this month, adding a PDCP auth option and fixing DNS correlation ID processing.
Nuclei Templates
July stats
A couple of big releases were made for Nuclei Templates this month, in the form of both v9.9.4 and v10.0.0. Across both of these releases, we’ve been lucky enough to gain 312 new templates, 15 first-time contributors, and 65 new CVEs!
🖨️ In response to the critical Linux CUPS printing system flaw, we’ve released a Nuclei template that will ensure you’re aware of your threat level against this vulnerability. It’s available to all ProjectDiscovery Cloud Platform users and of course in our repo as well.
Critical issues addressed in these releases include remote code execution for Moodle, unrestricted file upload in Traccar, and PHP object injection in GiveWP.
For our v10.0.0 release specifically, we wanted to highlight a brand new expansion of Nuclei Templates with a new suite that’s been specifically designed for Azure Cloud Configurations. This means that a host of specialized security checks have been added, tailored so that they work seamlessly alongside Azure services and their comprehensive components - such as VMs, App Services, SQL Databases, and more. Further details on this can be found in the GitHub release notes.
Alongside the introduction of these Azure-specific templates, we have a few critical CVE highlights to share, including remote code execution for Apache OFBiz, time-based blind SQL injection for the Zabbix Server, and UnAuth credentials exposure for Cisco Smart Licensing.
Huge thanks to our contributors on all of these releases - @GuyGoldenberg, @tovask, @alessandro, @gy741, @s4e-io, @chae1xx1os, @persona-twotwo, @soonghee2, @rahaaaiii, @asteria121, @breakpack, @nukunga, @harksu, @nechyo, @theamanrawat, @bl4ckp4r4d1s3, @bleron, @r3naissance, @ctflearner, @morgan, @karkis3c, @righettod, @rxerium, @nodauf, @mihail8531, @s4e-garage, @CodeStuffBreakThings, @Farish, @0xPugal, @Thabisocn, @icarot, @kazet, @encodedguy, @mailler, @hahwul and @adeljck.
And, congratulations to our first-time contributors: @AdallomRoy, @PeterDaveHello, @linchizhen, @Parshva87, @syntacticNaCl, @fazlearefin, @flyingllama87, @ingbunga, @thefoggiest, @oIfloraIo, @non-things, @DEVisions, @nil0x42, @willmccardell, @BrunoTeixeira1996, @eeche, @gmeghab and @iuliu8899.
Other news
Highlights
Missed our September livestream? You can catch the recorded video over on our YouTube channel, where Georgina and Jason catch you up on community developments and plans for the future: https://www.youtube.com/watch?v=8wfX6Zwny3E
During the livestream, we unveiled an exciting new venture for ProjectDiscovery community members and regular contributors - the PD Pioneers program. For more details on tiers, rewards, and to learn how to apply, visit our dedicated page: https://projectdiscovery.io/pioneers
PD’s very own Backend Developer, Tarun Koyalwar, and our AppSec Researcher, Dhiyaneshwaran, will be speaking at BSides Ahmedabad in October. Check out the schedule: https://bsidesahmedabad.in/schedule/
Azure config review templates have been featured in the tldrsec newsletter. You can read the full release here: https://tldrsec.com/p/tldr-sec-248
Join our community
Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.
Thanks,
The ProjectDiscovery Team
If you have any feedback or ideas for our Community Newsletter, please share them by filling out this form. You can provide links or suggestions for content that you would like to see in the newsletter.