Somewhat traditional CE.TE request smuggling attack on a few of Apple's domains.The main trick with this one was to place a `\n ` in the `Transfer-Encoding` header name...
The title says it all, CSRF protection was disabled for a period of time on Stripe's Dashboard.As the most sensitive actions required reentering the user's password or solving a captcha the damage was limited but you could still change various account settings...
The bulk import API when importing a group would, if the group had any uploads, download the `uploads.tar.gz` and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device's time. So by changing the time on the device you can make more attempts at the pin.
Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch...
Once again deserialization and RCE through an unprotected viewstate, its kinda silly that this sort of issue continues to persist.The normal `_VIEWSTATE` field is used by some .NET applications to contain a ton of information about the current view state...
Exactly as the title puts it, cross-site scripting through content injected from the `X-Forwarded-Host` header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user's requests.
Polygon places the blame for this bug on not checking that the `from` address in a transfer actually has the balance to cover the transfer in the first-place.While I don't doubt that as a core issue it feels like that may only be part of the issue, the other part being a lack of error checking, or perhaps improper error handling...
**tl;dr** There are two key issues with Flickr's use of AWS Cognito for their authentication, first, is that only the `sub` attribute is guaranteed to be unique and should be used to identify users, second is that the `access_token` provided can be used to modify user attributes. These issues can be chained to modify the `email` attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user's Flickr account.
There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.