Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
A secure boot bypass in Chromecast with the Google TV (CCwGTV)'s 1080p revision. This bypass sort of involves two issues, a hardware fault injection and a software logical bug, and this is due to mitigations and efforts Google has made since the exploit chain that was released against the 4K model previously.
This vulnerability impacts kubernetes setups using NGINX as the ingress controller via [ingress-nginx](https://github.com/kubernetes/ingress-nginx). At first I wanted to blame this one on block-listing when they should have used an allow-list, but its not quite that, but it is basically just a missed edge-case that allows for code execution.
Just a somewhat common and vulnerable use a cryptography.The `signature` of a firmware was not truly a signature but a hash of the content + a secret key, as the binary code that verifies the firmware is present on the device the "secret" key used is not kept secret and one could create their own firmware that would pass the signature check but contain arbitrary content...
An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed.This reminds me a bit of deserialization attacks, but in this case you've got the Xwork2 framework providing a `SafeParametersInterceptor` class...
A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho.Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data...
Code-generator gone bad! And another look at why its important to consider the context of what your escaping data for.In this case synthetics recorder could be used to generate playwright scripts (I think?) to replay a capture interaction...
The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.
This was a fun authorization check bypass because when checking if higher privileges were needed the `flag` value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set...
When using the `ssrfFilter` library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, `ssrfFilter` works is that is creates its own object that cna be used in=place of Node's default request agent for http/http requests...