Vulnerabilities (Page 29)

VMware Authentication Bypass Vulnerability [CVE-2022-22972]

Honestly, this is a bit of a crazy issue to see, during Login, if the LocalPasswordAuthAdapter gets used, it will attempt to validate the login credentials with whatever host is in the Host header, an attacker can often control this header completely. And so by pointing the header to a domain the attacker controls they can setup a server that will respond with an HTTP 200 to the authentication request allowing the attacker to login.

 

[GitLab] Stored XSS in Notes (with CSP bypass)

It seems that the syntax highlighting filter will read the data-sourcepos attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.

 

Breaking Reverse Proxy Parser Logic

At its core, a simple issue with path normalization between a reverse proxy and the end server, one treated ..%2f as a traversal and the other did not.This was used by the author to access internal NGINX Plus endpoints and was able to take advantage of it and was able to add his own server to the upstream list…

 

[Glovo] Integer overflow vulnerability

Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries.The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order…