Obviously they sure know that's not true - but A$ just doesn't do things right.
SSRF abusing CORS proxy, great.
"Firefox for Android" only - maybe it's intent-related?
(Context: Scratch Desktop was renamed to "Scratch" or Scratch app in early October 2020, just before the RCE vulnerability is reported.)
Hmm, CVE-2021-29944 is also discovered by the same person. 29944 is prevented by CSP (so i hope that UXSS is not abusing CSP-bypass?)
#Firefox 88.0.1 fixing UXSS reported by Wladimir Palant, who is known for reporting several UXSS issues to other browser extension users. "Android only" is kinda sus.
Imagine that your CVE entry gets rejected because the description is too specific and GitHub deletes the file in CVEProject/cvelist repo.
And now everyone becomes Microsoft. My vulnerability is "Scratch SVG Renderer Cross-site Scripting Vulnerability". No one can mention that it is a critical RCE issue, and is triggered by opening sb2 files.
GitHub is going to require repositories that include Proof-of-Concept of vulnerabilities to have SECURITY.md file.
It still doesn't require other big repositories to have SECURITY.md.
That file is used by researchers to notify them of a vulnerability. Not by the police, to charge members of red team.
This week in #Minecraft (21w17a):
- Mojang made "entities destroyed" S2C packet singular.
- New setters that have validations. Yes, in any programs, reachable assertions are fixed by removing the assertion, not by fixing root cause.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31815 is the one that is hard to triage using classical CVSS. It's basically a backdoor that only certain people can use. For those people it's a 7.5, but for those who aren't, it's not exploitable.
Perhaps AC and PR both set to High could explain the issue; CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Very long post on XSS
- CWE-434 for ability to upload HTML file
- CWE-830 for ability to load unknown JS file from URL
- CWE-427 for dependency confusion, 404 URL hijacking, etc
- CWE-444 for HTTP request smuggling
- and more!
Very long post on XSS
- CWE-74/CWE-77 for template injection, as traditional methods won't apply to those
- CWE-113 for header injection
- CWE-436 for sanitizer bypass (ones that don't interpret how they should.)
- CWE-182 for mXSS (i.e. sanitizer makes safe input dangerous)
- CWE-653 for missing contextIsolation in Electron app
- CWE-358 for browser CSP bypass
- CWE-357 for missing selfXSS protection
- CWE-346, or more specifically CWE-940 (onmessage) or CWE-941 (postMessage) for XSS based on these
- CWE-494 for script tag w/o integrity check
- CWE-300 for script loaded via HTTP
- CWE-470 for constructor.constructor sandbox escape
- CWE-1321 (my CWE!) for prototype pollution
- CWE-843 for querystring array confusion
Coding Scratch and other stuff. Political opinions, cybersecurity stuff, minecraft.