Easy vulnerability that shows how checking the magic numbers of a file isn't always sufficient.For some types of files all that matters is that the processor can detect its own content within another file...
The title pretty accurately describes this issue, there is little to no security implemented within Honda and Acura keys/remotes.An attacker can simply capture and then replay it at a later time to the vehicle...
WhatsApp has the ability for users to apply filters on images.The way these filters work is they take a "source" image, apply transformations on the underlying pixel data, then save the new image...
Bhyve is FreeBSD's type-2 hypervisor.The author of this GitHub security advisory discovered 6 bugs that can lead to a VM escape in various drivers, and all of them are essentially the same issue in different places...
Synaktiv ended up investigating the Western Digital Pro PR4100 when looking at the target list for pwn2own tokyo 2020.When looking at this device, they took particular interest in the webserver, and reversed the cgi-bin that implemented it...
This post covers a heap overflow in the InnoDB memcached plugin for MySQL.The "get" command implementation first tokenizes the key-value pairs then fetches them...
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
I'm not sure what the normal flow for a "One Tap Password" is but `/scauth/otp/droid/logout` can be used to retrieve OTP token in the response. Which can be passed to `/scauth/otp/login` along with the username to login.
After finding an open redirect in Datalore's endpoint for authenticating via JetBrains, the author dug into the auth process to see if it could be turned into an attack.They discovered that if an `auth_url` parameter was specified (which had to be a valid jetbrains subdomain), Datalore would send the user as as well as their JWT token to the given URL...
Ghost 4.0.0 added a theme preview feature to the admin panel's front-end.The preview page contains a message event listener for `postMessage()`, which will take any messages and directly write that message into the page contents...