This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for `gdfx` files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
Inspired by HTTPVoid's February write-up about [Hacking Google Drive Integrations](https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md). They took a bit deeper look at how HelloSign patched the SSRF documented.
Bug comes from GitLab's use of Rails UJS (Unobtrusive JavaScript).While known `data-*` attributes like `data-url` and `data-method` are stripped by DOMPurify, arbitrary `data-*` attributes aren't...
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that `pppoe_send_padr()` can calculate a packet length that exceeds `MCLBYTES` (2048 bytes)...
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic...
A chain of bugs starting with a "third party" information disclosure, and leading to an account takeover.The third-party aspect can be argued but as a vuln classification it feels like the best fit for the root of this issue...
A nice little logic error abusing an edge case between two different command flags.Curl may remove the wrong file when `--no-clobber` and `--remove-on-error` flags are used together...
Seems like a case of a generic endpoint being implemented up update any field provided without consideration of other restrictions on said field.In this case we have a `PATCH /api/v2.0/accounts/` endpoint which ultimately takes in a dictionary containing field/value pairs to be updated for the account id...
By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare's WAF...
Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a "feature" because the developers thought it was crashing on that point so disabled it to let the user continue to use the application...