Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries.The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order...
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic...
Java's implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.
Cool trick impacting php's `filter_var` which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to `filter_var`eventually some code for (`FILTER_VALIDATE_DOMAIN` and `FILTER_FLAG_HOSTNAME`) will mistakenly believe the size is much smaller than it actually is (negative).
Yet another branch predictor bug was discovered by grsecurity when testing a performance optimization for Reuse Attack Protector (RAP) return hash sequences.RAP sequences have an unconditional jump, followed by a `movabs` instruction and some `int3` instructions for debugging purposes...
We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.
I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch...
The first issue, is an incorrect computation in golang impacting `go-ethereum`.Its an interesting case, because a base computation might lead to some issues but it usually isn't a security issue...
A cool bug in H2O's QUIC implementation leading to disclosing uninitialized memory.Stream data in HTTP/3 comes in an encoding similar to chunked encoding, including an offset in the chain, the data size and teh data itself...
Just send an email pretending to be part of another report and the system will make you part of it.Its really that simple, sending an email using your the email associated with your Researcher portal account with the subject `VULN-`will get that email added to the report and be copied on future updates...
This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the `StateFilter` into reading the `forwardPath` and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.