Fairly weak vulnerability to have, the URL of a remote stylesheet has minimal domain validation on it that was easily bypassed allowing an attacker to load their own stylesheets. It is a bit of a fun issue to have however as this can allow exfiltrating page content and potentially sensitive information like CSRF tokens and use it for a more complicated attack.
Kubernetes has a feature called "volume subpaths", which is intended to enable sharing of a volume between multiple containers in a particular pod.Critically, these subpaths are controlled by the user...
A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the `/mfa/unenrollment` endpoint and remove MFA from the account.
Starts off by detailing a self XSS through JupyterLabs Notebook's `/lab` endpoint, where an attacker can control the page contents.In and of itself this isn't an issue, an attacker can only control the page contents of a notebook instance they own...
Out-of-bounds (OOB) access in the `VMGExit` handler, which is triggered for string I/O instructions.The `sev_es_string_io()` function is responsible for doing the string copy between the unencrypted guest memory regions and the virtualized target...
Focuses on exploiting an Out-of-Bounds (OOB) read in the `IOSurface` subsystem.The vulnerability was an unchecked `scalar0` index into the scalar input array in `IOMobileFramebufferUserClient::get_displayed_surface()` called by `IOMobileFramebuffers::s_displayed_fb_service()`...
In the `recv_server-device_response_msg_process()` handler, a `nums` field gets pulled out of the packet's JSON payload, and is used to represent the total number of UDP server domains.The application then iterates based on this field, looking for its respective `domain%d` key in the JSON...
Uninitialized use found in Apple's ColorSync via fuzzing.When parsing an image, the library will calculate the start address for reading from a Color Lookup Table (CLUT) data point array for pixel data...
Two straight-forward command injection issues in Gerapy.
URL validation vulnerabilities leading to server side request forgery (SSRF) on an internal Google endpoint. The original whitelist bypass was to use a `\@` in the domain: