Vulnerabilities (Page 2)

Rocket.Chat Client-side Remote Code Execution

Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to nodeIntegration being enabled).


Polygon Lack Of Balance Check Bugfix Postmortem

Polygon places the blame for this bug on not checking that the from address in a transfer actually has the balance to cover the transfer in the first-place.While I don’t doubt that as a core issue it feels like that may only be part of the issue, the other part being a lack of error checking, or perhaps improper error handling…


Flickr Account Takeover

tl;dr There are two key issues with Flickr’s use of AWS Cognito for their authentication, first, is that only the sub attribute is guaranteed to be unique and should be used to identify users, second is that the access_token provided can be used to modify user attributes. These issues can be chained to modify the email attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user’s Flickr account.


runc/libcontainer: insecure handling of null-bytes in bind mount sources

Basic idea here is that you could mount unintended paths due to embeding null-bytes in acceptable mount and generally improper handling of null-bytes within a mount source.While Go does not provide any special handling for strings containing null bytes, the send_mountsources written in C just iterates over the provided message mounting every null-terminated substring and passes the resultant fds to the child…


Windows 10 RCE: The exploit is in the link

There is an argument injection within the ms-officemd URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the --gpu-launcher argument for arbitrary command injection without any hassle.


SSRF vulnerability in AppSheet - Google VRP

Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a “no-code” application generator.One feature is that a web-hook can be executed in respond to supported events…