Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android's parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a `mode`, like `w` for write, or `r` for read access...
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
There are a few issues in this post, the first is SQL injection with nothing very special going on. The later issues though are more of a bypass of application logic which I think is fairly cool.
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.
Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
The title is all you really need on this one, the OTP was reflected in the cookies so no need to actually receive it.
A number of bugs in Tailscale leading to an RCE chain.
A timing-based side-channel in the `CHECK_DATA` Device Configuration Data could allow the value of memory to be disclosed and read even when reading was disabled.
The RH850 is an automotive MCU which features SecureOnboard Communication or SecOC, which includes read protections to prevent the ability to dump the ROM over serial.After reversing the protocol with a logic analyzer, they discovered the authentication was only gated on the sync command (which is required before any other commands are acknowledged)...