Latest Article: CVE-2023-34235: Bypassing Filter Validation in Strapi <= v4.10.7

A story about Boegie19's sneaky bypass of Strapi's filter protections that were implemented to patch CVE-2023-22894. It was a great finding by Boegie19, so Strapi in for another fun technical deep dive.

Read Article

Vulnerabilities

CVE-2023-34235: Bypassing Filter Validation in Strapi <= v4.10.7

A story about Boegie19's sneaky bypass of Strapi's filter protections that were implemented to patch CVE-2023-22894. It was a great finding by Boegie19, so Strapi in for another fun technical deep dive.

Read Article

Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

Another juicy vulnerability disclosure about CSRF to RCE and XSS, plus a bonus IDOR finding in Cockpit CMS.

Read Article

Multiple Critical Vulnerabilities in Strapi Versions <=4.7.1

Strapi had multiple critical vulnerabilities that could be chained together to gain Unauthenticated Remote Code Execution. This is my public disclosure of the vulnerabilities I found in Strapi, how they were patched and some nonsensical ramblings.

Read Article

CVE-2023-26492: Server-Side Request Forgery Vulnerability in Directus <= 9.22.4

Double check your IP block lists

Read Article

6 Year Old SQL Injection Vulnerability in Knex.js

JavaScript objects and arrays that are inserted into a SQL query can cause funky things

Read Article

Web Development

How to Create a Website and Inflict Scope Creep On Yourself Using Flask and Azure

A recap of how I fell into my own scope creep trap and accidentally created a CMS...

Read Article