StreamLabs would normally only redirect to a set of whitelisted domains approved to recieve the `access_token`.The author here put some effort into discovering what domains were approved, and found `http://dragynslair.live` was whitelisted, but no longer registered...
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...
Reddit had an issue in associating transactions and order information.If you initiated a coin purchase for say $1.99, the order will be created and the order ID can be obtained...
`pci_vtblk_proc` handling of incoming `virtio` descriptiors and the `VBH_OP_DISCORD` operation has a likely typo that allows for a guest to perform an out of bound memory read.
**tl;dr** A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the `get.cgi` endpoint after the victim's login was successful but before the victim has polled the same page (which happens every second)
Synaktiv ended up investigating the Western Digital Pro PR4100 when looking at the target list for pwn2own tokyo 2020.When looking at this device, they took particular interest in the webserver, and reversed the cgi-bin that implemented it...
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
This is another one of those, IDE/tooling doing more than you expect issues.In Rust you have `#[proc_macro]`s which are functions that are executed at compile time...
Cool bug, but hard to actually exploit despite getting PC control.The vuln uses GLSL, a c-like shader language that gets translated into C before being executed...
Very long post, covering an old issue (2013) tons of background about Java bytecode, App Engine and ASM (library).Some context for the issue is that App Engine would perform in-process sandboxing...
Composer will query Packagist to obtain metadata about the package to download.This includes where to fetch the code from (both source and pre-build archives)...