Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.
I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch...
We touched on a similar issue last week in Zabbix where the ability to access the setup process after it was complete could lead to compromising the system. In this situation no extra trickery was necessary as it appears to have been a bad conditional allowing reentry to the setup functionality.
Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.
The lesson here is just don't store session data on the client and if you must, don't take shortcuts, its tough to get right in the first place.Effectively here Zabbix stored session data in the user cookies...
A few vulnerabilities here, inconsisently enforced permissions, server side request forgery with an extension blocklist, and password reset link poisoning.
This just comes down to overly verbose error message.The Coindesk website has an API endpoint that normally serves a list of published articles...
There are two bugs here, one that allows an attacker to reset the password of any account, another to bypass 2FA.
We've got two XSS "puzzles" in unnamed bounty programs, each with somewhat interesting exploit strategies. The original post is worth a read for more insight into the thought process leading to the discovery of each step.
Maybe an issue, maybe not; the Ruby devs seem to think its a non-issue.This is a case of a library allowing some questionable input...