Research
Writeups
Cloudflare-wide IP spoofing with Cloudflare Workers
Advisories
Drupal core file metadata disclosure (DRUPAL-SA-CORE-2020-011)
The Drupal core File module allowed an attacker to gain access to the file metadata of a permanent private file that they do not have access to.
Drupal core PHP code injection (DRUPAL-SA-CORE-2018-006)
The Drupal core Contextual Links module didn’t sufficiently validate the requested contextual links. This allowed a render array to be injected, enabling an attacker to execute arbitrary PHP code.
Tripal BLAST UI shell code injection (DRUPAL-SA-CONTRIB-2016-054)
The Tripal Blast UI module didn’t sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that would execute when the BLAST job was run.