Vulnerabilities tagged "bounty"

Iconics Support for `gdfx` Files Results in Command Injection

This seemed to mostly be an exercise in attack surface discovery, scanning the files used by Iconics they found support for `gdfx` files with support for embeded JavaScript, including the ability to load an ActiveX object and execute shell commands on the local machine. Despite this being an apparently surface level issue, it survived until Pwn2Own and through multiple other contestants (the author was 5th of 7 against the application) to net them a $20,000 bounty.

[GitLab] Stored XSS in Notes (with CSP bypass)

It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.

Stealing Google Drive OAuth tokens from Dropbox

Inspired by HTTPVoid's February write-up about [Hacking Google Drive Integrations]( They took a bit deeper look at how HelloSign patched the SSRF documented.