Posts
XWiki Platform RCE via gadget titles in the dashboard (CVE-2021-32621)
It all started with Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $request binding. I tried other fields where similar payload for Server-Side Template Injection could work and found one more.
Unauthorized access to Code With Me traffic (CVE-2021-25755)
In this post I am going to share some details about Code With Me traffic interception vulnerability CVE-2021-25755. Code With Me is a new collaborative development and pair programming service from JetBrains that provides such experience just one click away.