Vulnerabilities (Page 43)

Windows 10 RCE: The exploit is in the link

There is an argument injection within the ms-officemd URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the --gpu-launcher argument for arbitrary command injection without any hassle.

 

SSRF vulnerability in AppSheet - Google VRP

Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a “no-code” application generator.One feature is that a web-hook can be executed in respond to supported events…

 

Apache Log4j2 jndi RCE

If you log untrusted data using log4j…you might have an RCE.I wasn’t able to find a good root cause of this bug but the issue itself is pretty readily understood…

 

[Symfony] Webcache Poisoning via X-Forwarded-Prefix and sub-request

There are two things at play with this vulnerability, first is the Symfony has support for trusted_headers to indicate which headers the framework is okay to trust, and recently support for the X-Forwarded-Prefix header was added and could be used regardless of whether or not it was in trusted_headers list.This could create a situation where cache poisoning would be possible as a request could be treated differently on the application trusting an untrusted header…

 

[Glassdoor] CSS injection via link tag whitelisted-domain bypass

Fairly weak vulnerability to have, the URL of a remote stylesheet has minimal domain validation on it that was easily bypassed allowing an attacker to load their own stylesheets. It is a bit of a fun issue to have however as this can allow exfiltrating page content and potentially sensitive information like CSRF tokens and use it for a more complicated attack.