This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for `gdfx` files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.
**tl;dr** Force others to pay you a fee for giving them a worthless token.
The vulnerability as reported was closed as not a vulnerability, but it did uncover a bug in the Sanitizer API.
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
Inspired by HTTPVoid's February write-up about [Hacking Google Drive Integrations](https://github.com/httpvoid/writeups/blob/main/Hacking-Google-Drive-Integrations.md). They took a bit deeper look at how HelloSign patched the SSRF documented.
Bug comes from GitLab's use of Rails UJS (Unobtrusive JavaScript).While known `data-*` attributes like `data-url` and `data-method` are stripped by DOMPurify, arbitrary `data-*` attributes aren't...
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that `pppoe_send_padr()` can calculate a packet length that exceeds `MCLBYTES` (2048 bytes)...
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic...
A chain of bugs starting with a "third party" information disclosure, and leading to an account takeover.The third-party aspect can be argued but as a vuln classification it feels like the best fit for the root of this issue...