The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.
A cool look at finding a vulnerability on a statically generated website, due to the presence of an image optimizer running as a serverless function.The Netlify IPX would normally validate image urls before fetching them to ensure the host is whitelisted (none by default), however this whitelist is skipped when it believe the URL is a local URL, meaning it does not start with `http`...
A somewhat simple security control bypass in Apache Batik's `DefaultScriptSecurity` and `DefaultExternalResourceSecurity` controls.Where Batik has to be able to load SVG files (and associated resources) from either a local or remote source, it makes for an interesting attack for SSRF and/or RCE...
Improper handling of multi-line header values, specifically in handling the `Transfer-Encoding` header Node would parse the value up to the first new-line and not include the remaining content.
Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the `window.GalaxyStore` object to download or open any application from the store.
Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
Just another thing to be testing for, it was found that the Apache Commons Text library when doing a `StringLookup` will do variable expansion.Supporting several prefixes like `url` to fetch data from a remote url or `script` to execute a Javax string...
Multiple static functions in`InetAddress` like `getByName` and `getAllByName` can be used both to resolve a name string to an IP address, and to validate the format of an address.The problem is that the OpenJDK implementation does not properly validate the format of an IP address string...
The title says pretty much all that you need to know, the `got` HTTP request library for Node will follow redirects to a Unix socket.So an attacker who can invoke a request (SSRF) to a server they control could redirect that request back towards a unix socket on the local machine...
This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on [Episode 129](https://dayzerosec.com/vulns/2022/03/21/from-xss-to-rce-dompdf-0day.html)...