The fundamental issue is as basic as it gets, one of the first attacks many budding hackers learn is `' or 1=1` in a login page.Well this was a SQLi in the username of a login form, taken a little further by enabling `xp_cmdshell` and gaining code execution...
The first issue was that the endpoint for changing a user's password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.
Straight forward XSS and CSRF issues in Concrete CMS when adding a calendar event.The XSS was closed as a non-issue because the application provides users control over the HTML, including adding scripts...
Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes.Though modification of this edit user request additional scopes that were not displayed could be added, such as the `company:operations` and `company:support` scopes...
Three meme vulnerabilities in Cisco Hyperflex, two unauthenticated RCEs, one unauthenticated directory traversal attack in a file upload, and two traversal attacks that were authenticated.
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.
A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc).Not a crazy idea but I don't think we've covered any WAF bypass quite like this on the podcast before...
For a GitLab bug, this one is nice and simple, stored XSS in the "default branch name" field.For a group you can setup what the group's default branch name should be for any new repositories created...
When SmugMug bought Flickr from Yahoo they had to move the authentication system away from Yahoo's authentication.A side-effect of this was that the account deletion process previously had used the Yahoo authentication code as the CSRF token so in the move the token was removed and not replaced with anything functionally equivalent...