Security Research

CMS, CRM and Forums

• [CVE-2021-27902, CVE-2021-27903]: CraftCMS Zero-day Chain: XSS to SSTI triggering RCE
  References:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-27902
  • https://nvd.nist.gov/vuln/detail/CVE-2021-27903
  • https://eval.blog/research/craftcms-zero-day-ssti-xss-triggering-rce
  • https://github.com/craftcms/cms/commit/8ee85a8f03c143fa2420e7d6f311d95cae3b19ce
  • https://github.com/craftcms/cms/commit/c17728fa0bec11d3b82c34defe0930ed409aec38
• Relative Path Traversal in Flarum using fake OAuth Provider
  References:

  • https://huntr.com/bounties/1-flarum/core/
• XSS in Unified Transform (A school management software)
  References:

  • https://huntr.dev/bounties/2-other-changeweb/Unifiedtransform/
• Stored Cross Site Scripting in October CMS
  References:

  • https://huntr.dev/bounties/1-packagist-october/rain/
• Cross Site Scripting in digidocu
  References:

  • https://huntr.dev/bounties/2-other-digidocu/
• Internal IP Address leak in Misconfigured WordPress to bypass WAF

Compilers, Interpreters and Languages

• Breaking The Mutant Language's "Encryption (Writeup)"
  References:

  • https://twitter.com/AppSec_Village/status/1694786713007059008
  • https://github.com/0xcrypto/mutant-cure
• CVE-2021-21705: FILTER_VALIDATE_URL bypass in PHP 8
  References:

  • https://bugs.php.net/bug.php?id=81122
  • https://nvd.nist.gov/vuln/detail/CVE-2021-21705

Desktop Applications

• Code Execution via Cross Site Scripting in Tagspaces (A file manager)
  References:

  • https://huntr.dev/bounties/1-other-tagspaces/tagspaces/
  • https://huntr.dev/bounties/1-other-tagspaces/viewerText/

Frameworks

• active_url validation check bypass in Laravel
  References:

  • https://huntr.dev/bounties/2-laravel/framework/
  • https://github.com/laravel/framework/commit/c50087d457d3b2e2839f2e8b080f40832f4f7e46
  • https://github.com/laravel/framework/pull/37675
• POP Gadget using function injection in RequiredIf
  References:

  • https://huntr.dev/bounties/3-laravel/framework/
  • https://github.com/laravel/framework/pull/37688
  • https://github.com/laravel/framework/pull/37700
  • https://github.com/ambionics/phpggc/blob/c42dbd18538324c4337655651fe41ad54d081399/gadgetchains/Laravel/RCE/8/gadgets.php#L18

PHP Libraries

• CVE-2021-3603: Untrusted code execution in PHPMailer
  References:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-3603
  • https://github.com/advisories/GHSA-77mr-wc79-m8j3
  • https://huntr.dev/bounties/1-PHPMailer/PHPMailer/

Web

• Stealing OAuth tokens of connected Microsoft accounts via open redirect in Harvest App
• Unrestricted access to any "connected pack" in docs in coda.io
  References:

  • https://hackerone.com/reports/777942
• Account Takeover on unverified emails in File Sync & Share in Acronis
  References:

  • https://hackerone.com/reports/906790
• Open Redirect in Flattr