Tags - YNizry

Yaniv Nizry

Blogs
Talks
Advisories
Tags
Archives
About
Search

search

account take over apache arbitrary file read arbitrary file write ato bypass chain code execution content-type csp csrf debugging denial of service deserialization disputed dompurify dos electron file-upload Fortinet function ghidra html httpd improper validation java javascript jenkins lldb log4j log4j2 lpe macos moodle mozilla mxss node nodejs npm oauth open redirect osx parser differential path traversal php polyglot prototype-pollution python rce redos rpc sandbox sop spoofing sqli ssrf unauth unauthenticated v8 webshell wordpress xss

account take over

Playing Dominos with Moodle's Security (2/2)

apache

Apache Dubbo Consumer Risks: The Road Not Taken

Apache httpd Stored XSS by design

Apache httpd XSS Using Multiple Extensions

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

arbitrary file read

Authenticated Arbitrary File Read in Mealie

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins

arbitrary file write

Arbitrary File Write in Resume-Matcher

ato

Playing Dominos with Moodle's Security (2/2)

bypass

HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

Masterminds/html5-php parser differential

Mutation Cross-Site Scripting in lxml

Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach

Mutation XSS in Mozilla-bleach using comments

Mutation XSS in Mozilla-bleach via noscript

Mutation XSS in Mozilla-bleach via svg or math

PHP HTML parser differential due to libxml2 lack of HTML5 support

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail

Typo3 HTML Sanitizer By-passing via the noscript tag

Typo3 HTML Sanitizer By-passing via the processing instructions

mXSS: The Vulnerability Hiding in Your Code

chain

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (1/3)

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

code execution

Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation

content-type

Apache httpd Stored XSS by design

Apache httpd XSS Using Multiple Extensions

csp

Reply to calc: The Attack Chain to Compromise Mailspring

csrf

Basic HTTP Authentication Risk: Uncovering pyspider Vulnerabilities

CSRF in Elementor-Contact-Form-DB wordpress plugin

CSRF in ultimate-category-excluder wordpress plugin

Codiad CSRF in the plugin request

RCE via site-offline wordpress plugin

Vendure Cross Site Request Forgery vulnerability impacting all API requests

debugging

MacOS Binary Debugging

denial of service

Denial of Service in get-ip-range package

DoS in Spring Cloud Function

Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation

deserialization

Apache Dubbo Consumer Risks: The Road Not Taken

CVE-2021-44832: Apache Log4j 2.17.0 Arbitrary Code Execution via JDBCAppender DataSource Element

Deserialization RCE attack in replicator

Deserialization attack via JDBC Appender in log4j

CVE-2021-33420: NPM Replicator Remote Code Execution Deserialization

disputed

Apache Dubbo Consumer Risks: The Road Not Taken

dompurify

DOMPurify 3.2.1 Bypass (Non-Default Config)

dos

Denial of Service in get-ip-range package

DoS in Spring Cloud Function

SSRF in Gradio

Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation

electron

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (1/3)

Reply to calc: The Attack Chain to Compromise Mailspring

file-upload

The Tainted Voyage: Uncovering Voyager's Vulnerabilities

Fortinet

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (1/3)

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

function

Unintended function invocation in Spring Cloud Function

ghidra

MacOS Binary Debugging

html

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail

mXSS: The Vulnerability Hiding in Your Code

httpd

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

improper validation

Hostname spoofing in urijs

Hostname spoofing in url-parse

java

Apache Dubbo Consumer Risks: The Road Not Taken

CVE-2021-44832: Apache Log4j 2.17.0 Arbitrary Code Execution via JDBCAppender DataSource Element

DoS in Spring Cloud Function

Deserialization attack via JDBC Appender in log4j

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins

Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation

Unintended function invocation in Spring Cloud Function

javascript

Command injection vulnerability in curl-ganteng

Denial of Service in get-ip-range package

Hostname spoofing in urijs

Hostname spoofing in url-parse

Remote code execution vulnerability in reqwest

Reintroduced ReDoS in debug

jenkins

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins

lldb

MacOS Binary Debugging

log4j

CVE-2021-44832: Apache Log4j 2.17.0 Arbitrary Code Execution via JDBCAppender DataSource Element

Deserialization attack via JDBC Appender in log4j

log4j2

CVE-2021-44832: Apache Log4j 2.17.0 Arbitrary Code Execution via JDBCAppender DataSource Element

Deserialization attack via JDBC Appender in log4j

lpe

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

macos

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

MacOS Binary Debugging

moodle

Playing Dominos with Moodle's Security (2/2)

Playing Dominos with Moodle's Security (1/2)

mozilla

Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach

Mutation XSS in Mozilla-bleach using comments

Mutation XSS in Mozilla-bleach via noscript

Mutation XSS in Mozilla-bleach via svg or math

mxss

DOMPurify 3.2.1 Bypass (Non-Default Config)

HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

Masterminds/html5-php parser differential

Mutation Cross-Site Scripting in lxml

Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach

Mutation XSS in Mozilla-bleach using comments

Mutation XSS in Mozilla-bleach via noscript

Mutation XSS in Mozilla-bleach via svg or math

PHP HTML parser differential due to libxml2 lack of HTML5 support

Reply to calc: The Attack Chain to Compromise Mailspring

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail

Typo3 HTML Sanitizer By-passing via the noscript tag

mXSS: The Vulnerability Hiding in Your Code

node

Command injection vulnerability in curl-ganteng

Remote code execution vulnerability in reqwest

nodejs

Command injection vulnerability in curl-ganteng

Remote code execution vulnerability in reqwest

npm

Command injection vulnerability in curl-ganteng

Deserialization RCE attack in replicator

Hostname spoofing in urijs

Hostname spoofing in url-parse

CVE-2021-33420: NPM Replicator Remote Code Execution Deserialization

Prototype pollution in cloneextend

Prototype pollution in extend2

Remote code execution vulnerability in reqwest

Reintroduced ReDoS in debug

Vendure Cross Site Request Forgery vulnerability impacting all API requests

@vendure/admin-ui-plugin authenticated XSS

oauth

Playing Dominos with Moodle's Security (2/2)

open redirect

Open redirect in Jupyter server

osx

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (3/3)

parser differential

Masterminds/html5-php parser differential

PHP HTML parser differential due to libxml2 lack of HTML5 support

path traversal

Pimcore: One click, two security vulnerabilities

php

Codiad CSRF in the plugin request

Codiad SSRF when installing a plugin

Pimcore: One click, two security vulnerabilities

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail

Stored XSS via folder name in Codiad

polyglot

The Tainted Voyage: Uncovering Voyager's Vulnerabilities

prototype-pollution

Prototype pollution in cloneextend

Prototype pollution in extend2

python

Mutation Cross-Site Scripting in lxml

Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach

Mutation XSS in Mozilla-bleach using comments

Mutation XSS in Mozilla-bleach via noscript

Open redirect in Jupyter server

Mutation XSS in Mozilla-bleach via svg or math

rce

Apache Dubbo Consumer Risks: The Road Not Taken

Basic HTTP Authentication Risk: Uncovering pyspider Vulnerabilities

Codiad CSRF in the plugin request

Command injection vulnerability in curl-ganteng

Codiad SSRF when installing a plugin

Deserialization RCE attack in replicator

Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins

CVE-2021-33420: NPM Replicator Remote Code Execution Deserialization

Pimcore: One click, two security vulnerabilities

Playing Dominos with Moodle's Security (1/2)

Remote code execution vulnerability in reqwest

RCE via site-offline wordpress plugin

Reply to calc: The Attack Chain to Compromise Mailspring

Stored XSS via folder name in Codiad

The Tainted Voyage: Uncovering Voyager's Vulnerabilities

redos

Reintroduced ReDoS in debug

rpc

Apache Dubbo Consumer Risks: The Road Not Taken

sandbox

Reply to calc: The Attack Chain to Compromise Mailspring

sop

Reply to calc: The Attack Chain to Compromise Mailspring

spoofing

Hostname spoofing in urijs

Hostname spoofing in url-parse

sqli

Pimcore: One click, two security vulnerabilities

ssrf

Codiad SSRF when installing a plugin

SSRF in Gradio

unauth

Playing Dominos with Moodle's Security (1/2)

unauthenticated

Playing Dominos with Moodle's Security (1/2)

v8

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (1/3)

webshell

Codiad CSRF in the plugin request

Codiad SSRF when installing a plugin

RCE via site-offline wordpress plugin

Stored XSS via folder name in Codiad

wordpress

CSRF in Elementor-Contact-Form-DB wordpress plugin

CSRF in ultimate-category-excluder wordpress plugin

RCE via site-offline wordpress plugin

xss

Apache httpd Stored XSS by design

Apache httpd XSS Using Multiple Extensions

Basic HTTP Authentication Risk: Uncovering pyspider Vulnerabilities

Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

DOMPurify 3.2.1 Bypass (Non-Default Config)

HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

Masterminds/html5-php parser differential

Mutation Cross-Site Scripting in lxml

Mutation Cross-Site Scripting (mXSS) Vulnerabilities Discovered in Mozilla-Bleach

Mutation XSS in Mozilla-bleach using comments

Mutation XSS in Mozilla-bleach via noscript

Mutation XSS in Mozilla-bleach via svg or math

PHP HTML parser differential due to libxml2 lack of HTML5 support

RCE via site-offline wordpress plugin

Sanitize Client-Side: Why Server-Side HTML Sanitization is Doomed to Fail

Stored XSS via folder name in Codiad

The Tainted Voyage: Uncovering Voyager's Vulnerabilities

Typo3 HTML Sanitizer By-passing via the noscript tag

Typo3 HTML Sanitizer By-passing via the processing instructions

@vendure/admin-ui-plugin authenticated XSS

mXSS: The Vulnerability Hiding in Your Code