A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service's `GetFile`handler would check for an `/api` and `/image` slug, and if neither were present it would fall back on trying to construct a filename...
Simple enough vulnerable, a POST parameter was directly unserialized, which would often be pretty damning, but vBulletin apparently had put in some effort to make it hard to exploit.
BBCode XSS chained with an admin panel SQL injection for potential for code execution.
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
Excellent post covering three vulnerabilities in Huawei's Secure Monitor used to proxy/transition requests from the "normal world" usually from the hypervisor or kernel into the secure world.
Great documentation of the process finding a WAF process, building up the final payload bit by bit.
A couple command injection bugs on the NetGear RAX30 router, straight forward IoT bugs.
Two vulns in Netgear RAX30 routers that were patched 2 days before the Pwn2Own draw. One was a LAN bug, the other a WAN issue.
The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed...
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)...