**tl;dr** Cool chain to escape and impact other containers on `Azure Container Instances` hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
Plenty of background here, both in terms of software, architecture, and testing environment.Probably worth checking out if you want to get into car hacking...
Good bit of background on this one, does a good job of explaining the root of the issue.There are two parts, first is a 2020 CVE...
Interesting post that covers a bit about the meta of bug-hunting in Source Engine games and some how-to information. There are two OOB read vulnerabilities used in the chain.
Cool bug, but hard to actually exploit despite getting PC control.The vuln uses GLSL, a c-like shader language that gets translated into C before being executed...
First goes into some background details on QMI, what kinds of services it provides, and details on how they fuzzed the interface (used QEMU hexagon to emulate the modem in conjunction with AFL).They talk about one of the vulns the fuzzer dug up, which was a heap overflow in the voice service's `call_config_req` handler...
Two vulnerabilities and a good deal of background.Vulns happen in the UEFI Request hypercalls...
Two vulnerabilities, both in ConnMann a root service for managing network connections, a stack-based overflow and a stack leak.
Gatekeeper would misclassify certain types of applications allowing them to run without any restriction. Specifically you can cause a confusion in the policy engine regarding whether the app is bundled or not...