Vulnerabilities tagged "web"

Weak entropy in a password reset token, and an archive escape using symlinks to achieve code execution.

This is a weird one, but easily understood; when using OmniAuth as the authentication provider (for like OAuth, LDAP, or SAML login) a hardcoded password would be associated with the account.

A directory traversal issue, the root of it is a flawed regex and replace: `#(/)[^\/]+/\.\./#`.This regex will match on `directory/../` and once matched its replaced with the first match group (`/`)...

I'm not even too sure why this one works, but basically by changing the JSON object sent in results in being able to login in as (presumably) arbitrary accounts.

A chain of issues going from an XSS to a remote file download in a server-side PDF renderer, leading to remote-code execution.The XSS initally seemed a bit weak as the application had no secrets or even authentication so attacking other users would not provide much gain...

Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.

A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application's API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.

Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.

Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.

Abusing an otherwise secure call to `shell_exec`allows users to control part of the `sed` commands leading to code execution.One thing of note is that this is the FreeBSD version of `sed` which differs from the more common GNU version in that it doesn't include the commands to directly execute commands...