@blamejs/exceptd-skills 0.15.14 → 0.15.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +8 -0
- package/data/_indexes/_meta.json +5 -5
- package/data/attack-techniques.json +11 -0
- package/data/cve-catalog.json +246 -85
- package/data/zeroday-lessons.json +583 -198
- package/manifest.json +44 -44
- package/package.json +1 -1
- package/sbom.cdx.json +18 -18
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.15.16 — 2026-05-29
|
|
4
|
+
|
|
5
|
+
Draft-curation pass 14 — web-application server-side RCE. Eight CISA KEV-listed unauthenticated web-app CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Kentico Xperience CMS (CVE-2025-2749 path-traversal + file upload, CVE-2025-2746 and CVE-2025-2747 alternate-channel authentication bypasses), Craft CMS code injection (CVE-2025-32432 and the related CVE-2024-56145), Roundcube Webmail deserialization (CVE-2025-49113), and SolarWinds Web Help Desk deserialization (CVE-2025-26399, CVE-2025-40551). All map T1190, with per-class T1059 (code injection / deserialization), T1078 (auth bypass), or T1505.003 (upload → web shell). The lessons stress web-shell hunting and application-secret rotation as required cleanup beyond the patch.
|
|
6
|
+
|
|
7
|
+
## 0.15.15 — 2026-05-29
|
|
8
|
+
|
|
9
|
+
Draft-curation pass 13 — Windows kernel/driver LPE. Seven CISA KEV-listed Windows local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: a Common Log File System (CLFS) driver use-after-free (CVE-2025-32701 — CLFS is a recurring kernel-LPE target), a race condition (CVE-2025-62215), an untrusted-pointer dereference (CVE-2025-24990), link-following (CVE-2025-60710), a kernel out-of-bounds read primitive (CVE-2023-36424), an information-disclosure primitive (CVE-2026-20805), and improper privilege management (CVE-2021-43226). All map T1068 (Exploitation for Privilege Escalation). The lessons frame these as the second half of the ransomware chain (initial access → unpatched LPE → SYSTEM within hours) and stress hypervisor-protected code integrity (HVCI/VBS) and the Microsoft Vulnerable Driver Blocklist as load-bearing endpoint controls beyond the patch.
|
|
10
|
+
|
|
3
11
|
## 0.15.14 — 2026-05-29
|
|
4
12
|
|
|
5
13
|
Draft-curation pass 12 — legacy Microsoft client-side RCEs. Six CISA KEV-listed older Microsoft document / browser / font-parsing RCEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Office (CVE-2009-0238), PowerPoint (CVE-2009-0556), Excel (CVE-2007-0671), Internet Explorer (CVE-2010-3962 — a landmark IE zero-day from the Operation Aurora era), Windows TrueType font parsing (CVE-2011-3402 — the Duqu zero-day), and Windows InformationCardSigninHelper ActiveX (CVE-2013-3918). All map T1203 (Exploitation for Client Execution). The lessons frame these as long-tail KEV re-listings — the patch landed years ago, but CISA re-lists because unpatched legacy estates remain exposed; centralized patch management plus Office hardening (Protected View, ASR rules) are the load-bearing controls.
|
package/data/_indexes/_meta.json
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
{
|
|
2
2
|
"schema_version": "1.1.0",
|
|
3
|
-
"generated_at": "2026-05-
|
|
3
|
+
"generated_at": "2026-05-29T21:41:35.237Z",
|
|
4
4
|
"generator": "scripts/build-indexes.js",
|
|
5
5
|
"source_count": 54,
|
|
6
6
|
"source_hashes": {
|
|
7
|
-
"manifest.json": "
|
|
7
|
+
"manifest.json": "1bf79bbc78662fe233ebd4ae9d66a6715054a144dbe6d414f145d6f895b6cdb2",
|
|
8
8
|
"data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
|
|
9
|
-
"data/attack-techniques.json": "
|
|
10
|
-
"data/cve-catalog.json": "
|
|
9
|
+
"data/attack-techniques.json": "ab66fbbc079bec071f9f2d2e92f194ce95289f91a19a188e9d6d0489c4fafb97",
|
|
10
|
+
"data/cve-catalog.json": "369f3585bd52254f928ed322ab30b1cf3d207fed5d7e3b5c76c4de8cd89dc709",
|
|
11
11
|
"data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
|
|
12
12
|
"data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
|
|
13
13
|
"data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
"data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
|
|
16
16
|
"data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
|
|
17
17
|
"data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
|
|
18
|
-
"data/zeroday-lessons.json": "
|
|
18
|
+
"data/zeroday-lessons.json": "549c3ef8ffd0b42743d9939ef0d2a083acbb6e61f0c6f83b4aac718d4c62e978",
|
|
19
19
|
"skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
|
|
20
20
|
"skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
|
|
21
21
|
"skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",
|
|
@@ -298,6 +298,7 @@
|
|
|
298
298
|
"CVE-2024-4889",
|
|
299
299
|
"CVE-2024-50050",
|
|
300
300
|
"CVE-2024-5565",
|
|
301
|
+
"CVE-2024-56145",
|
|
301
302
|
"CVE-2024-8069",
|
|
302
303
|
"CVE-2025-10164",
|
|
303
304
|
"CVE-2025-1094",
|
|
@@ -307,16 +308,20 @@
|
|
|
307
308
|
"CVE-2025-20281",
|
|
308
309
|
"CVE-2025-20337",
|
|
309
310
|
"CVE-2025-23254",
|
|
311
|
+
"CVE-2025-26399",
|
|
310
312
|
"CVE-2025-27520",
|
|
311
313
|
"CVE-2025-29635",
|
|
312
314
|
"CVE-2025-30165",
|
|
315
|
+
"CVE-2025-32432",
|
|
313
316
|
"CVE-2025-32434",
|
|
314
317
|
"CVE-2025-32444",
|
|
315
318
|
"CVE-2025-3248",
|
|
316
319
|
"CVE-2025-33236",
|
|
317
320
|
"CVE-2025-34291",
|
|
318
321
|
"CVE-2025-3466",
|
|
322
|
+
"CVE-2025-40551",
|
|
319
323
|
"CVE-2025-4428",
|
|
324
|
+
"CVE-2025-49113",
|
|
320
325
|
"CVE-2025-49596",
|
|
321
326
|
"CVE-2025-49704",
|
|
322
327
|
"CVE-2025-51480",
|
|
@@ -480,6 +485,7 @@
|
|
|
480
485
|
"CVE-2020-17103-REREGRESSION-2026",
|
|
481
486
|
"CVE-2021-30952",
|
|
482
487
|
"CVE-2021-43226",
|
|
488
|
+
"CVE-2023-36424",
|
|
483
489
|
"CVE-2023-41974",
|
|
484
490
|
"CVE-2023-43000",
|
|
485
491
|
"CVE-2024-0769",
|
|
@@ -501,6 +507,7 @@
|
|
|
501
507
|
"CVE-2025-62849",
|
|
502
508
|
"CVE-2026-0300",
|
|
503
509
|
"CVE-2026-20122",
|
|
510
|
+
"CVE-2026-20805",
|
|
504
511
|
"CVE-2026-31431",
|
|
505
512
|
"CVE-2026-31635",
|
|
506
513
|
"CVE-2026-33825",
|
|
@@ -989,6 +996,9 @@
|
|
|
989
996
|
"CVE-2025-25257",
|
|
990
997
|
"CVE-2025-25297",
|
|
991
998
|
"CVE-2025-26399",
|
|
999
|
+
"CVE-2025-2746",
|
|
1000
|
+
"CVE-2025-2747",
|
|
1001
|
+
"CVE-2025-2749",
|
|
992
1002
|
"CVE-2025-27520",
|
|
993
1003
|
"CVE-2025-2775",
|
|
994
1004
|
"CVE-2025-2776",
|
|
@@ -12069,6 +12079,7 @@
|
|
|
12069
12079
|
"_auto_imported": true,
|
|
12070
12080
|
"_intake_method": "mitre-attack-stix",
|
|
12071
12081
|
"cve_refs": [
|
|
12082
|
+
"CVE-2025-2749",
|
|
12072
12083
|
"CVE-2025-31324",
|
|
12073
12084
|
"CVE-2025-49704",
|
|
12074
12085
|
"CVE-2025-53770"
|