Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the `window.GalaxyStore` object to download or open any application from the store.
Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
Just another thing to be testing for, it was found that the Apache Commons Text library when doing a `StringLookup` will do variable expansion.Supporting several prefixes like `url` to fetch data from a remote url or `script` to execute a Javax string...
Multiple static functions in`InetAddress` like `getByName` and `getAllByName` can be used both to resolve a name string to an IP address, and to validate the format of an address.The problem is that the OpenJDK implementation does not properly validate the format of an IP address string...
The title says pretty much all that you need to know, the `got` HTTP request library for Node will follow redirects to a Unix socket.So an attacker who can invoke a request (SSRF) to a server they control could redirect that request back towards a unix socket on the local machine...
This vulnerability builds on/is complicated by two past issues.The first being an RCE via caching of remote font files, we discussed this vulnerability on [Episode 129](https://dayzerosec.com/vulns/2022/03/21/from-xss-to-rce-dompdf-0day.html)...