Only the phone number parameter was being validated.So an attacker could maliciously modify the country code...
An interesting primitive in `io_uring` resulting in the ability to free adjacent kernel buffers.
A rather non-intuitive bug where sending `Content-Length: x` would result in source disclosure on Apache.
**tl;dr** A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the `get.cgi` endpoint after the victim's login was successful but before the victim has polled the same page (which happens every second)
Synaktiv ended up investigating the Western Digital Pro PR4100 when looking at the target list for pwn2own tokyo 2020.When looking at this device, they took particular interest in the webserver, and reversed the cgi-bin that implemented it...
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
This is another one of those, IDE/tooling doing more than you expect issues.In Rust you have `#[proc_macro]`s which are functions that are executed at compile time...
Cool bug, but hard to actually exploit despite getting PC control.The vuln uses GLSL, a c-like shader language that gets translated into C before being executed...
Very long post, covering an old issue (2013) tons of background about Java bytecode, App Engine and ASM (library).Some context for the issue is that App Engine would perform in-process sandboxing...
Composer will query Packagist to obtain metadata about the package to download.This includes where to fetch the code from (both source and pre-build archives)...