This is a weird one, but easily understood; when using OmniAuth as the authentication provider (for like OAuth, LDAP, or SAML login) a hardcoded password would be associated with the account.
A directory traversal issue, the root of it is a flawed regex and replace: `#(/)[^\/]+/\.\./#`.This regex will match on `directory/../` and once matched its replaced with the first match group (`/`)...
I'm not even too sure why this one works, but basically by changing the JSON object sent in results in being able to login in as (presumably) arbitrary accounts.
A chain of issues going from an XSS to a remote file download in a server-side PDF renderer, leading to remote-code execution.The XSS initally seemed a bit weak as the application had no secrets or even authentication so attacking other users would not provide much gain...
Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.
A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application's API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
Abusing an otherwise secure call to `shell_exec`allows users to control part of the `sed` commands leading to code execution.One thing of note is that this is the FreeBSD version of `sed` which differs from the more common GNU version in that it doesn't include the commands to directly execute commands...
Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.
I want to say the root of this issue is from trying to determine by name whether an identifier is a commit hash or a branch name.While git allows the creation of branches consisting of 40 hex characters, GitHub will reject the branch...
We touched on a similar issue last week in Zabbix where the ability to access the setup process after it was complete could lead to compromising the system. In this situation no extra trickery was necessary as it appears to have been a bad conditional allowing reentry to the setup functionality.
Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.
The lesson here is just don't store session data on the client and if you must, don't take shortcuts, its tough to get right in the first place.Effectively here Zabbix stored session data in the user cookies...