The fundamental issue is as basic as it gets, one of the first attacks many budding hackers learn is `' or 1=1` in a login page.Well this was a SQLi in the username of a login form, taken a little further by enabling `xp_cmdshell` and gaining code execution...
The first issue was that the endpoint for changing a user's password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.
Straight forward XSS and CSRF issues in Concrete CMS when adding a calendar event.The XSS was closed as a non-issue because the application provides users control over the HTML, including adding scripts...
Only the phone number parameter was being validated.So an attacker could maliciously modify the country code...
Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes.Though modification of this edit user request additional scopes that were not displayed could be added, such as the `company:operations` and `company:support` scopes...
Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering
Root cause here is an XSS in the "My Flow" feature resulting in client-side code execution.
Three more OAuth flow vulnerabilities
Three meme vulnerabilities in Cisco Hyperflex, two unauthenticated RCEs, one unauthenticated directory traversal attack in a file upload, and two traversal attacks that were authenticated.
Thirteen distinct vulnerabilities in Apache Dubbo related to insecure deserialization, and an excellent look at using CodeQL to assist manual vulnerability research and attack surface discovery. A lot of the interesting points in this post are more about the discovery of new attack surface rather than in the vulnerabilities themselves.