A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.
The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.
A somewhat simple security control bypass in Apache Batik's `DefaultScriptSecurity` and `DefaultExternalResourceSecurity` controls.Where Batik has to be able to load SVG files (and associated resources) from either a local or remote source, it makes for an interesting attack for SSRF and/or RCE...
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the `window.GalaxyStore` object to download or open any application from the store.
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on [Episode 129](https://dayzerosec.com/vulns/2022/03/21/from-xss-to-rce-dompdf-0day.html)...
Two argument injections that were found in Bitbucket server, though only one of them was exploitable.The first was in the `/rest/api/latest/projects/~USER/repos/repo1/browse` endpoint, where an `at` parameter could be provided...
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.