Easy vulnerability that shows how checking the magic numbers of a file isn't always sufficient.For some types of files all that matters is that the processor can detect its own content within another file...
**tl;dr** - The Oauth endpoint parses URL paramters `redirect_uri` and `redirect_uri[0` (note the missing `]`) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the `redirect_uri` while the endpoint validates that the other value points to a whitelisted location
I'm not sure what the normal flow for a "One Tap Password" is but `/scauth/otp/droid/logout` can be used to retrieve OTP token in the response. Which can be passed to `/scauth/otp/login` along with the username to login.
After finding an open redirect in Datalore's endpoint for authenticating via JetBrains, the author dug into the auth process to see if it could be turned into an attack.They discovered that if an `auth_url` parameter was specified (which had to be a valid jetbrains subdomain), Datalore would send the user as as well as their JWT token to the given URL...
Ghost 4.0.0 added a theme preview feature to the admin panel's front-end.The preview page contains a message event listener for `postMessage()`, which will take any messages and directly write that message into the page contents...
When looking into the API internals of JetBrain's YouTrack, the author discovered an undocumented endpoint for getting issue descriptions without any styling or markdown.This endpoint was not protected with role validation or any user authentication at all, likely because it's only meant to be used internally...
The vulnerability here is in libterm.js as used by AWS CloudShell.When handing the escape to get the Termcap/Terminfo string (+q) it’ll reflect the parameter right back into the respond...
The vulnerability itself is in ExifTool, in parsing DjVu archive metadata it will parse the token, do some validation on it to make sure its safe and call `eval` on it to parse the C-Style string escapes within the string.The problem is the validation trips up on handling an escaped newline, ignoring the newline character and thinking the next character is the escaped one...
This is a surprisingly simple reflected XSS on instagram.com.Just a next= URL parameter that is reflected into an href, you can include a javascript: target for the url...
Workplace by Facebook would allow workplace administrators to enable a “self-invite” option.Anyone with an email on an approved domain could invite themselves into the workplace...