The device administration web-app fails to properly validate the session cookie allowing for an unauthorized attacker to gain access.The issue depends on the internal ifttt_token not being set (default)...
Composer will query Packagist to obtain metadata about the package to download.This includes where to fetch the code from (both source and pre-build archives)...
**Tl;dr** Grammarly will add users to the wrong organization if an attacker creates an org with an entityId that matches the victim’s but with extra whitespace at the end.
Two 2FA bypassing, one based on auth state not being tied to the user's session, the other involved swapping a transaction id to trick the server into thinking the attacker's 2FA acceptance was the victim's.