Great exploit chain starts with a newline injection, leading to the ability to write "2" to any file culminating in a login and root code execution, all doable with remotely hosted javascript.
What if authentication was optional? That seems to be the case here where the Netgear Switch Discovery Protocol, a UDP based protocol where each datagram is a header following by a Type Length Value (TLV) chain.The expectation is that all of the "get" commands can be used without authentication but that "set" commands should send the password authentication entry (Type 10) as the first part of the TLV chain...
**tl;dr** A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the `get.cgi` endpoint after the victim's login was successful but before the victim has polled the same page (which happens every second)
Authentication bypass by including a magic string in the URL.The string isn't exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication...
The vulnerability here is simply that Opera's Pinboard feature allows pinning URLs starting with `javascript:` creating a clickable link on a Pinboard that will execute JavaScript. Unfortunately (for the attacker) these tabs open in a new window and not within the Pinboard context unless middle clicking, then these links will trigger them within the Pinboard context.
This is a vulnerability within the `check-spelling` workflow specifically and not GitHub Actions.This workflow is used to, well, check the spelling on an incoming Pull Request...
**tl;dr** Cool chain to escape and impact other containers on `Azure Container Instances` hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.
The Shopify GraphQL endpoint has a mutation `appCreditCreate` for Shopify apps to issue credits to merchants that can be used towards future app purchases.While this mutation cannot be used through the GraphQL endpoint at `/admin/internal/web/graphql/core` the GraphiQL app provided by Shopify however does allow the mutation...
Easy vulnerability that shows how checking the magic numbers of a file isn't always sufficient.For some types of files all that matters is that the processor can detect its own content within another file...
The title pretty accurately describes this issue, there is little to no security implemented within Honda and Acura keys/remotes.An attacker can simply capture and then replay it at a later time to the vehicle...
WhatsApp has the ability for users to apply filters on images.The way these filters work is they take a "source" image, apply transformations on the underlying pixel data, then save the new image...
Bhyve is FreeBSD's type-2 hypervisor.The author of this GitHub security advisory discovered 6 bugs that can lead to a VM escape in various drivers, and all of them are essentially the same issue in different places...
Synaktiv ended up investigating the Western Digital Pro PR4100 when looking at the target list for pwn2own tokyo 2020.When looking at this device, they took particular interest in the webserver, and reversed the cgi-bin that implemented it...