Just four bugs this week, but that all are somewhat interesting, from an Instagram 2FA removal, deanonymizing Slack users, a MySQL bug, and how to get cheap reddit coins.
Just a handful of traditional vulns this week: IDOR, CSRF, SQLi, a logic vuln and zi's boomer side starts to show.
A simple to exploit path traversal in Apache...in 2021, a one-time-password defeat by having it be send to the attacker and victim, and more JWT issues.
A few interesting issues this week, ranging from a macOS Gatekeeper bypass, some oauth flow issues in Facebook, and even an RCE through the password field.
Some of Apple's XPC services are leaking information, Finder has an RCE, and some CodeQL use to find many RCEs in Apache Dubbo.
Some high impact vulnerabilities this week, CSRF in account deletion, remote code execution as root, and an apache "0day" that discloses PHP source.
Some drama with the VMWare bounty program, and then a few straight forward vulnerabilities and a really cool Azure Container Instances escape and takeover.
Multiple account takeover vulnerabilities in this episode with three cross-origin communication vulnerabilities in Facebook, an odd OTP endpoint in SnapChat and an open redirect in JetBrains leaking your JWT.