Vulnerabilities tagged "cool-vuln"

**CVE-2023-27322 - Local Privilege Escalation Through Parallels Service**

Bit of an odd bug in the SecurityPoint UTM Firewall admin and user panels.During the normal login flow a user starts off with an empty `sessionID` value, once they authenticate successfully the server returns a filled in `sessionID`...

At its core, we have a simple mistake that can be made pretty easily on all of the cloud platforms though this post focuses in on Azure App Services and Azure Functions.Being able to easily add authentication to your apps on either is nice, but they can easily be misconfigured...

Abuse ChatGPT and other language models for remote code execution, sounds great! This is quite literally just a case of determining how the AI is being leveraged in the backend and then engineering a prompt to ask the language model to respond with something malicious. The author has two examples on BoxCars:

The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.

This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...

When using the `ssrfFilter` library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, `ssrfFilter` works is that is creates its own object that cna be used in=place of Node's default request agent for http/http requests...

Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android's parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a `mode`, like `w` for write, or `r` for read access...

A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by `sock_init_data() `regarding the `struct socket` input...

A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn't render the page when a `Location` header was present.Basically just used the CRLF injection ot inject a `Connection: Location` header, telling the proxy to treat the `Location` header as a hop-by-hop header and drop it before passing it on to the end-user...