A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho.Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data...
Code-generator gone bad! And another look at why its important to consider the context of what your escaping data for.In this case synthetics recorder could be used to generate playwright scripts (I think?) to replay a capture interaction...
A look at how logging attacker controlled data can be problematic in Azure Pipelines to potentially gain code execution and access to sensitive environment variables.
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...
A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service's `GetFile`handler would check for an `/api` and `/image` slug, and if neither were present it would fall back on trying to construct a filename...
Simple enough vulnerable, a POST parameter was directly unserialized, which would often be pretty damning, but vBulletin apparently had put in some effort to make it hard to exploit.
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
Excellent post covering three vulnerabilities in Huawei's Secure Monitor used to proxy/transition requests from the "normal world" usually from the hypervisor or kernel into the secure world.
The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed...
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...