Root issue is that WebKit violates the specification for Content-Security-Policy (CSP) violation reports, leaking the destination of a violating redirect rather than the origin in the `documentURI` field of the report.
Even if a Shopify blog was private and required a password the post titles and preview of content would be published in the globally accessible atom feed
Great little bug taking advantage of the ability to manage GSuite users directly from within `domains.google.com` by trusted the Gsuite organization name and ID from the user request. By changing out the organization's domain and id (does require knowing the target organization numeric id) in the requests `domains.google.com` makes when adding a new user, the user will be added to the new domain rather than to the one you actually own.
StreamLabs would normally only redirect to a set of whitelisted domains approved to recieve the `access_token`.The author here put some effort into discovering what domains were approved, and found `http://dragynslair.live` was whitelisted, but no longer registered...
When purchasing coins for Reddit on Android there is a call to a `/verify_purchase` endpoint which is vulnerable to a race condition.The idea being that this endpoint, being provided some of the transaction information would validate it and give the coins to the purchaser, however there is a problem when handling multiple concurrent requests to endpoint...
An unauthenticated file read in GoCD's Business Continuity Addon (installed and enabled by default) due to change in configuration that that exposed the add-on to unauthenticated users.
Mermaid is a markdown-like syntax for generating flowcharts and is supported by GitLab's markdown parser.The Mermaid parser itself can be provided various configuration options at initialization time, and then some of those can be overloaded by inline directives...
Discourse exposes a webhook that takes a user-provided "subscribe URL" and passes it into `open()` unsanitized.Due to Discourse being written in Ruby, it's possible to get command execution via the subscribe URL by way of the pipeline operator...
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...
Reddit had an issue in associating transactions and order information.If you initiated a coin purchase for say $1.99, the order will be created and the order ID can be obtained...
A simple bug in how MySQL deals with the `e` scientific notiation for numbers (1.1e5 for 110000 as an example) could be abused to bypass various Web-Application Firewalls (WAF).The bug being that the lack of any number following the `e` would result in the term being stripped from the query and nothing being put in its place...
Websockets have always been a little bit special when it comes to security considerations, they are a newer technology and the security concerns are often not well understood. Websocket Hijacking tends to occur because websocket connections are not protected by the usual Same-Origin-Policy (SOP) that more traditional resources would be, so malicious websites can by default connect to a foreign websocket using a victims cookies (assuming `SameSite` is not at play).