Authentication Bypass in Apache's OFBiz by including a the GET param `requirePasswordChange=Y` using this will simply bypass the need to authenticate due to some mishandling of errors.
This one starts off with a fun mass-assignment issue.Early on in the processing chain of a HTTP request to CrushFTP's web interface it will parse all the HTTP headers into a Java `Properties`object...
This vulnerability impacts kubernetes setups using NGINX as the ingress controller via [ingress-nginx](https://github.com/kubernetes/ingress-nginx). At first I wanted to blame this one on block-listing when they should have used an allow-list, but its not quite that, but it is basically just a missed edge-case that allows for code execution.
One vulnerability a use-after-free in the Linux nftable subsystem, exploitable on the three kernelCTF targets: latest Long-term Stable (LTS) release, Container-optimized build as used by Google Cloud, and a Mitigation build that isn't as up-to-date but includes experimentation mitigations to be bypassed.
A very powerful bug in the `io_uring ` driver of the linux kernel.In this case, the vulnerability is in the handling of registering fixed buffers via the `IORING_REGISTER_BUFFERS` opcode, which allows an application to 'pin' and register memory for long-term use, which includes making it exempt from paging mechanics...
A request smuggling to global cache poisoning chain impacting Akami Edge nodes in front of an F5 BigIP server.
The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc's DICOM server. The vulnerability is a natural consequence of two features:
Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a `filename`, an `uploadid` and a `parentid`...
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...
I thought this was an excellent post when it came to explaining the exploitation strategy, and has it dealt with encrypted pointers the exploitation was pretty cool to see documented. However I did have some problems following on the actual vulnerability details.