Vulnerabilities (Page 33)

• ‘Websocket Hijacking’ to steal Session_ID of victim users

  18 October 2021

  Websockets have always been a little bit special when it comes to security considerations, they are a newer technology and the security concerns are often not well understood. Websocket Hijacking tends to occur because websocket connections are not protected by the usual Same-Origin-Policy (SOP) that more traditional resources would be, so malicious websites can by default connect to a foreign websocket using a victims cookies (assuming SameSite is not at play).

• [Sony] SQL Injection Through User-Agent Header

  18 October 2021

  The fundamental issue is as basic as it gets, one of the first attacks many budding hackers learn is ' or 1=1 in a login page.Well this was a SQLi in the username of a login form, taken a little further by enabling xp_cmdshell and gaining code execution…

• IDOR + Account Takeover leads to PII leakage

  18 October 2021

  The first issue was that the endpoint for changing a user’s password took as an argument a user id which was not validated against the currently logged in user allowing any user to change the password to any other account providing they knew the users unique id. These ID values were thankfully not easily guessed.

• [Concrete CMS] Stored unauth XSS in calendar event via CSRF

  18 October 2021

  Straight forward XSS and CSRF issues in Concrete CMS when adding a calendar event.The XSS was closed as a non-issue because the application provides users control over the HTML, including adding scripts…

• Bypassing required reviews using GitHub Actions

  18 October 2021

  An attacker with write access to the repository could bypass branch protection rules that require all pull requests undergo a code-review before being merged.The issue is just a logic issue rooted in the fact that firstly, anyone with write access can create an unprotected branch and define GitHub Actions for it, and secondly that a GitHub action can perform code reviews (though restrictions can be added on who the approved reviewers are)…

• Typo Leads to Disclosure of Host Memory to Guest in Hyperkit [CVE-2021-32847]

  12 October 2021

  pci_vtblk_proc handling of incoming virtio descriptiors and the VBH_OP_DISCORD operation has a likely typo that allows for a guest to perform an out of bound memory read.

• Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF [CVE-2021-41794]

  12 October 2021

  When parsing session establishment request packets in ogs_fqdn_parse(), the function would take an unmitigated length and pass it directly to memcpy().The blogpost indicates the destination is a stack buffer, leading to stack overflow…

• Multiple Uninitalized Memory usages in hyperkit That may Result in Code Execution

  12 October 2021

  Four issues in HyperKit, a hypervisor based on bhyve used in docker for macOS.

• SMS OTP Could be Sent to an Attack Through a Unvalidated Country Code

  11 October 2021

  Only the phone number parameter was being validated.So an attacker could maliciously modify the country code…

• Remote Code Execution in SharePoint via Workflow Compilation [CVE-2021-26420]

  11 October 2021

  SharePoint Workflows are essentially a series of tasks to streamline a business process.With the clear potential for abuse there exist an authorizedTypes list that will both allow and block classes…

• Editing a User to Add Sensitive Scopes to a JWT

  11 October 2021

  Had a JWT, and noticed functionality to invite a user to a group and then change their privileges, these privileges were reflected in the JWT scopes.Though modification of this edit user request additional scopes that were not displayed could be added, such as the company:operations and company:support scopes…

• critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

  11 October 2021

  Bit of a saga starting with a patch to Apache httpd earlier this year that introduced an old vulnerability back into the Apache when encountering

• GHSL-2021-124: Use After Free (UAF) in Chrome - CVE-2021-30528

  05 October 2021

  There is a use-after-free on Chrome for Android when fetching credit card details to autofill. This vulnerability does require the victim have credit card details saved by Chrome.

• Chrome in-the-wild bug analysis: CVE-2021-30632

  05 October 2021

  First a bit of background terminology as I understand it. Not being familiar with v8 there are likely some subtleties I am missing.

• XSS to RCE in the Opera Browser

  04 October 2021

  Root cause here is an XSS in the “My Flow” feature resulting in client-side code execution.