Vulnerabilities tagged "bounty"

HigherLogic Community RCE Vulnerability

Once again deserialization and RCE through an unprotected viewstate, its kinda silly that this sort of issue continues to persist.The normal `_VIEWSTATE` field is used by some .NET applications to contain a ton of information about the current view state...

[Omise] XSS via X-Forwarded-Host header

Exactly as the title puts it, cross-site scripting through content injected from the `X-Forwarded-Host` header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user's requests.

Polygon Lack Of Balance Check Bugfix Postmortem

Polygon places the blame for this bug on not checking that the `from` address in a transfer actually has the balance to cover the transfer in the first-place.While I don't doubt that as a core issue it feels like that may only be part of the issue, the other part being a lack of error checking, or perhaps improper error handling...

Flickr Account Takeover

**tl;dr** There are two key issues with Flickr's use of AWS Cognito for their authentication, first, is that only the `sub` attribute is guaranteed to be unique and should be used to identify users, second is that the `access_token` provided can be used to modify user attributes. These issues can be chained to modify the `email` attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user's Flickr account.

Windows 10 RCE: The exploit is in the link

There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.