Vulnerabilities tagged "bounty"

Great documentation of the process finding a WAF process, building up the final payload bit by bit.

The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed...

A number of bugs in Tailscale leading to an RCE chain.

Bit of a race condition leading to a lock screen bypass on Pixel devices.

As the title says, some weird load balancers issues, core problem being that user-specific data would be cached and returned to other users.

When performing a BulkImport it is possible to provide a URL to`httpUrlToRepo` that will resolve to a repository on the local filesystem.

Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.

Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.

Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as "self-corruptions".Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists...

What happens when you tell a server to treat the `Content-Length` header as a hop-by-hop header and remove it? Request smuggling.