A researcher discovered a chained CSRF vulnerability chain (4 requests) in a user management system's CSV import functionality that allowed unauthenticated account takeover by uploading a malicious CSV file without CSRF tokens, escalating to system admin privileges. The attack exploited timing delays between import steps and lack of CSRF protection on all four endpoints (file upload, job view, verification, and submission).
A researcher chained an AngularJS template injection self-XSS vulnerability with a misconfigured OAuth implementation that failed to validate the presence of the state parameter, allowing them to connect an attacker's Dropbox account to victim accounts and import malicious files containing XSS payloads, resulting in stored XSS execution.