Vulnerabilities tagged 'bounty'

[GitLab] Stored XSS in Notes (with CSP bypass)

It seems that the syntax highlighting filter will read the data-sourcepos attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.


[PlayStation] Remote kernel heap overflow

Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that pppoe_send_padr() can calculate a packet length that exceeds MCLBYTES (2048 bytes)…


[Nextcloud] Bypass the protection lock in andoid app

Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a “feature” because the developers thought it was crashing on that point so disabled it to let the user continue to use the application…