Vulnerabilities tagged "web"

Its the description that caught my eye on this one, a race condition leading to authentication bypass.

Cross-Site Tracing is a vulnerability I didn't think I'd be hearing about again, yet here we are.

Bypassing an authentication check in AWS AppSync by changing the case of a JSON key.

An interesting look at an overlooked vulnerability, client-side path traversal.A client-side path traversal is when the path traversal attack lands on the client side rather than the more traditional attack against server-side files...

A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.

The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.

As the title says, some weird load balancers issues, core problem being that user-specific data would be cached and returned to other users.

A cool look at finding a vulnerability on a statically generated website, due to the presence of an image optimizer running as a serverless function.The Netlify IPX would normally validate image urls before fetching them to ensure the host is whitelisted (none by default), however this whitelist is skipped when it believe the URL is a local URL, meaning it does not start with `http`...

A somewhat simple security control bypass in Apache Batik's `DefaultScriptSecurity` and `DefaultExternalResourceSecurity` controls.Where Batik has to be able to load SVG files (and associated resources) from either a local or remote source, it makes for an interesting attack for SSRF and/or RCE...

Improper handling of multi-line header values, specifically in handling the `Transfer-Encoding` header Node would parse the value up to the first new-line and not include the remaining content.