Reddit had an issue in associating transactions and order information.If you initiated a coin purchase for say $1.99, the order will be created and the order ID can be obtained...
A simple bug in how MySQL deals with the `e` scientific notiation for numbers (1.1e5 for 110000 as an example) could be abused to bypass various Web-Application Firewalls (WAF).The bug being that the lack of any number following the `e` would result in the term being stripped from the query and nothing being put in its place...
Amazingly simple issue as far as browser bugs go.The `removeFromFacesLookupTable` method in the `CSSFontFaceSet` class failed to properly check if they reached the end of the table when looking up a font...
When the `DOMWindow::open` method receives a frame name of `_top` or `_parent`, they're treated as special cases which get an immediate scheduling for a location change.The `scheduleLocationChange` function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it'll run synchronously and fire a `popstate` event...
Seven vulnerabilities in Windows.Starts off with a lot of background information on Windows kernel I/O, how Time-of-Check Time-of-Use (TOCTOU) works, and an overview of Advanced Local Procedure Calling (ALPC), which is a set of high performance IPC syscalls...
This issue resides in the `nt!ObpCreateSymbolicLinkName` syscall for creating symbolic links.One of the first things it does is creates a user handle for the symbolic link object...
Websockets have always been a little bit special when it comes to security considerations, they are a newer technology and the security concerns are often not well understood. Websocket Hijacking tends to occur because websocket connections are not protected by the usual Same-Origin-Policy (SOP) that more traditional resources would be, so malicious websites can by default connect to a foreign websocket using a victims cookies (assuming `SameSite` is not at play).
The fundamental issue is as basic as it gets, one of the first attacks many budding hackers learn is `' or 1=1` in a login page.Well this was a SQLi in the username of a login form, taken a little further by enabling `xp_cmdshell` and gaining code execution...
The first issue was that the endpoint for changing a user's password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.
Straight forward XSS and CSRF issues in Concrete CMS when adding a calendar event.The XSS was closed as a non-issue because the application provides users control over the HTML, including adding scripts...
An attacker with write access to the repository could bypass branch protection rules that require all pull requests undergo a code-review before being merged.The issue is just a logic issue rooted in the fact that firstly, anyone with write access can create an unprotected branch and define GitHub Actions for it, and secondly that a GitHub action can perform code reviews (though restrictions can be added on who the approved reviewers are)...
`pci_vtblk_proc` handling of incoming `virtio` descriptiors and the `VBH_OP_DISCORD` operation has a likely typo that allows for a guest to perform an out of bound memory read.
When parsing session establishment request packets in `ogs_fqdn_parse()`, the function would take an unmitigated length and pass it directly to `memcpy()`.The blogpost indicates the destination is a stack buffer, leading to stack overflow...