Vulnerabilities tagged "web"
Great documentation of the process finding a WAF process, building up the final payload bit by bit. OTP Leaking Through Cookie Leads to Account Takeover
The title is all you really need on this one, the OTP was reflected in the cookies so no need to actually receive it. Abusing JSON-Based SQL to Bypass WAF
Two parts to the post the vulnerability is a simple SQL injection, URL data winds up in the query.Nothing too special there... XSS on account.leagueoflegends.com via easyXDM
A long chain of issues that leads to XSS in the league of legends (LoL) account subdomain via easyXDM, which is a developer focused JS library that provides an interface for doing cross-origin communication using various protocols.easyXDM consists of a producer-consumer setup, where a producer page exports functions for the consumer page to invoke... [Hyundai] Remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.
An email normalization issue allowing for remote control of a vehicle. Grafana RCE via SMTP server parameter injection
The `username`, `from_name` and `password` fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed... Unauthenticated Remote Code Execution in Spotify’s Backstage
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify's incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)... SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300]
An SQLi in Password Manager Pro, which is bundled with Manage Engine's Privileged Access Management 360 (PAM360) and Access Manager Plus.In the password manager, there's a concept of "resources" which can be added or edited, which internally submits a multipart form request to the `AddResourceType.ve` endpoint... RCE in Tailscale, DNS Rebinding, and You [CVE-2022-41924]
A number of bugs in Tailscale leading to an RCE chain. Stealing passwords from infosec Mastodon - without bypassing CSP
Starts off with a somewhat classic parser attack,, placing a parsable object inside of another context hoping to trip up the system.In this case Gareth Heyes was able to inject `:verified:` within a supported HTML attribute, and have it be replaced with the emoji as an ` ` tag...
Race Condition in Gradafa leading to Authentication Bypass
Its the description that caught my eye on this one, a race condition leading to authentication bypass. Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411]
Cross-Site Tracing is a vulnerability I didn't think I'd be hearing about again, yet here we are. A Confused Deputy Vulnerability in AWS AppSync
Bypassing an authentication check in AWS AppSync by changing the case of a JSON key. Client-Side Path Traversal Chained With Open Redirect to Inject CSS
An interesting look at an overlooked vulnerability, client-side path traversal.A client-side path traversal is when the path traversal attack lands on the client side rather than the more traditional attack against server-side files... Blind SSRF to LQL Injection to File Deletion to Authentication Bypass in Checkmk
A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.