A rather simple Chrome permission bypass.Basically `chrome.pageCapture.saveAsMHTML()` shouldn't be able to save pages it doesn't have the permissions to read like pages belonging to another extension or chrome pages...
Just another caching issue, this time we've got a GraphQL API that is being used to serve some static files/content.Those requests that should be cached include a `reqIdentifier` parameter in the URL that acts as the cache key...
We have an unnamed dashboard application here that allows users to specify objects that will be rendered into the dashboard through JSON blobs.Users can provide dashboard templates in the form of a JSON blob, including an `item` array of which items to render...
This one comes down to a normalization difference between Cloudflare's CDN and the ChatGPT backend server.The Cloudflare CDN was setup to cache all requests under the `/share/` endpoint, and the determination of whether a path matches would happen before any percent-encoded characters were decoded...
Honestly, this is a simple bug, a react website, wiht source maps, so easy to find API endpoints the application calls.Upon examination one of them did not require any authentication, the event stream publishing events from the cameras in a redacted teleommunications company office...
This one starts off with a fun mass-assignment issue.Early on in the processing chain of a HTTP request to CrushFTP's web interface it will parse all the HTTP headers into a Java `Properties`object...
There is a lot going on in this post, the novel aspect are a few Mark-of-the-Web (MotW) bypasses, those MotW bypasses were found while exploring an in-the-wild exploit chain which is also covered here.
A post-auth remote information disclosure in the SecurePoint UTM firewall.The bug in this case is the fact that a session ID can be sent in a response before the session is fully initialized and used...
When using curl, if the `--data-raw` argument starts with a `@` it will be treated as a filename and the file itself will be included as the data of the request. This sort of bug would be hard to exploit in the context of Burp and Chrome, requiring a victim to "Copy as cURL" a malicious request in the first place, and then run it...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android's parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a `mode`, like `w` for write, or `r` for read access...
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
There are a few issues in this post, the first is SQL injection with nothing very special going on. The later issues though are more of a bypass of application logic which I think is fairly cool.