A nice use of the a CRLF Injection to exploit a seemingly unexploitable injection because the browser wouldn't render the page when a `Location` header was present.Basically just used the CRLF injection ot inject a `Connection: Location` header, telling the proxy to treat the `Location` header as a hop-by-hop header and drop it before passing it on to the end-user...
The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...
Relatively straight forward oauth hijack/account takeover flow with one interesting aspect in actually performing the login with the hijacked OAuth code.
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern's research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.
In resizing a PNG, in a textual chunk you have keywords and a text string as a value, if the keyword `profile` is used, imagemagick will try to read the associated filename (the text value for the keyword) and will load the content of the file (if it exists) into the resultant image. So in cases where a user uploaded image is resized or processed in some way by imagemagick, it may be possible to leak file content in the resulting image.
There are a few issues in this post, the first is SQL injection with nothing very special going on. The later issues though are more of a bypass of application logic which I think is fairly cool.
The vulnerability here isn't too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai's web application firewall.
A couple interesting issues in OpenEMR leading to unauthenticated remote code execution and file disclosure.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.
A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service's `GetFile`handler would check for an `/api` and `/image` slug, and if neither were present it would fall back on trying to construct a filename...