CVE-2021-28940 - MagpieRSS - XSS, SSRF, and RCE

This bug is an oldie, but one that is still about if you know where to look. It holds a special place in my heart as it was the first RCE I'd found on Synack, the fact it got rejected for being a duplicate doesn't matter!…

CVE-2024-23897 - Jenkins - Arbitrary File Read

Earlier this year CVE-2024-23897 was disclosed, but I think I may have missed it during the new year and changing job. It was only when doing some hunting on Synack and doing some high level scanning that I found out about it, and when I had found it and tried…

CVE-2023-22515 - Confluence - Broken Access Control

Late last year this vulnerability lead to the compromise of several on-premise installs of Atlassian Confluence. CVE-2023-22515 is scarily simple to exploit and is the result of certain requests sent to the server being trusted if they contained a certain header. With this it was then possible to re-run part…

Tales from the hunt: A "fun" SQL Injection without sqlmap

On the weekend, I came across an interesting SQL injection vulnerability whilst researching on a financing related website. I expected the website to have vulnerabilities, as I'd earlier found an IDOR that allowed for the read/write of contacts who'd receive emails across accounts, but I…

CVE-2021-21311 - Adminer - SSRF

If you've been around web application penetration testing, it's pretty likely you'll know or have heard about Adminer. Adminer is a very convenient and easy to use open-source database management tool, it allows an administrator to connect in to the specified DBMS, run queries…

CVE-2024-20767 - Adobe ColdFusion - Improper Access Control

After seeing the recent CVE-2024-20767 relating to Improper Access Control in Adobe ColdFusion, I wanted to better understand how it worked. From my experiences on Synack, ColdFusion is still pretty out there in the wild and often quite out of date. I was unable to find too much information on…