Bug comes from GitLab's use of Rails UJS (Unobtrusive JavaScript).While known `data-*` attributes like `data-url` and `data-method` are stripped by DOMPurify, arbitrary `data-*` attributes aren't...
Interesting but fairly simple vuln in rubygems.It's a design flaw or logic bug in the way versioning works when yanking a gem...
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic...
A chain of bugs starting with a "third party" information disclosure, and leading to an account takeover.The third-party aspect can be argued but as a vuln classification it feels like the best fit for the root of this issue...
Authentication bug for this sensitive `/mgmt/tm/util/bash` endpoint, which as the name suggests, will take commands and execute them.The endpoint was protected by authentication, but that authentication was vulnerable to a kind of desync...
Two fundamental issues allowing for XSS in Ruby on Rails (RoR) applications. As RoR is just a framework, these all depend on an application using the framework in a way that exposes these vulnerabilities.
This starts off in a pretty straight-forward way with an arbitrary file upload vulnerability, but also includes a bit of discussion about exploiting it in a more hardened environment which had some interesting insight.
By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare's WAF...
Hard-coded crednetials strike again, enabled a couple Server Side Request Forgeries as the URL to be requested was inside an encrypted, but user-provided URL parameter.Within the application there were a couple endpoints that would take a `Url` parameter...
Probably as easy of a 2FA bypass as I've seen, effectively if the account had 2FA the second stage of the password reset form would submit to `/reset2fa` and if there was no 2FA registered for the account, it would submit to `/reset` so the attack was just to modify the submission to point to `/reset` instead of `/reset2fa` and it wouldn't prompt for the 2FA token.