Sreeram KL and I were able to chain a harmless CSRF and SSRF in HelloSign to leak Google Drive OAuth tokens of Dropbox users. We reported the issue to Dropbox. It was fixed, a bounty was paid, and you can read below for more details. SSRFOn the 1st of February…
I discovered multiple vulnerabilities in an open-source PHP application, Bolt CMS. Chaining them led to a single-click RCE. If you want to read about all the found vulnerabilities in detail, you can find the full advisory here and the exploit here. This article only focuses on the file upload bypass…
This article is about a CSRF, XSS bug chain that is then escalated to Remote Code Execution as an unauthenticated attacker, in Prestashop (unpatched as of 18/04/2020). When the admin opens a link, the chain gets executed and the server gets pwned. If you are interested in reading…
This article is about how a WordPress Editor can use unfiltered HTML and some social engineering to gain administrative access to the WordPress site and pwn the server. My first observation was that editors and administrators can add unfiltered HTML and JavaScript using the custom HTML block while creating a…
I, and probably you, first read about this vulnerability on the bleepingcomputer article or a Reddit post linking to that article. The article stated that all Linux kernels prior to 5.0.8 are vulnerable to RCE. So, is a huge part of the internet now vulnerable? I started looking…