Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application...
Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome's JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as 'hotpaths' (aka executed a lot)...
A fairly simple processing bug in WinRAR resulting in code execution with benign seeming interaction with an archive; unfortunately this one was seen being exploited in the wild to spread malware.
Awesome abuse of an Regex DoS to bypass a security check in MyBB resulting in an RCE.
Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a `filename`, an `uploadid` and a `parentid`...
A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho.Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data...
Code-generator gone bad! And another look at why its important to consider the context of what your escaping data for.In this case synthetics recorder could be used to generate playwright scripts (I think?) to replay a capture interaction...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.