Vulnerabilities (Page 3)

Apache Log4j2 jndi RCE

web

If you log untrusted data using log4j…you might have an RCE.I wasn’t able to find a good root cause of this bug but the issue itself is pretty readily understood…

 

[Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request

web

There are two things at play with this vulnerability, first is the Symfony has support for trusted_headers to indicate which headers the framework is okay to trust, and recently support for the X-Forwarded-Prefix header was added and could be used regardless of whether or not it was in trusted_headers list.This could create a situation where cache poisoning would be possible as a request could be treated differently on the application trusting an untrusted header…

 

[Glassdoor] CSS injection via link tag whitelisted-domain bypass

Fairly weak vulnerability to have, the URL of a remote stylesheet has minimal domain validation on it that was easily bypassed allowing an attacker to load their own stylesheets. It is a bit of a fun issue to have however as this can allow exfiltrating page content and potentially sensitive information like CSRF tokens and use it for a more complicated attack.

 

[Box] Bypassing Time-based One-Time Password (TOTP)

web

A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the /mfa/unenrollment endpoint and remove MFA from the account.

 

AWS SageMaker Jupyter Notebook Instance Takeover

Starts off by detailing a self XSS through JupyterLabs Notebook’s /lab endpoint, where an attacker can control the page contents.In and of itself this isn’t an issue, an attacker can only control the page contents of a notebook instance they own…

 

OOB read/write in KVM sev_es_string_io

Out-of-bounds (OOB) access in the VMGExit handler, which is triggered for string I/O instructions.The sev_es_string_io() function is responsible for doing the string copy between the unencrypted guest memory regions and the virtualized target…

 
1
2
3
4
5
6
7