Vulnerabilities tagged "bounty"

Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.

Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.

I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch...

Once again deserialization and RCE through an unprotected viewstate, its kinda silly that this sort of issue continues to persist.The normal `_VIEWSTATE` field is used by some .NET applications to contain a ton of information about the current view state...

The interesting part of this post is the utilization of an external API to result in SSRF, specifically the Google Drive API.

Exactly as the title puts it, cross-site scripting through content injected from the `X-Forwarded-Host` header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user's requests.

An inability to decode the character in a user's post, leading to HTTP 500 response.

Polygon places the blame for this bug on not checking that the `from` address in a transfer actually has the balance to cover the transfer in the first-place.While I don't doubt that as a core issue it feels like that may only be part of the issue, the other part being a lack of error checking, or perhaps improper error handling...

**tl;dr** There are two key issues with Flickr's use of AWS Cognito for their authentication, first, is that only the `sub` attribute is guaranteed to be unique and should be used to identify users, second is that the `access_token` provided can be used to modify user attributes. These issues can be chained to modify the `email` attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user's Flickr account.

There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.