Article demonstrates a CORS bypass technique by exploiting improper Origin header validation that uses simple string matching. An attacker can craft a malicious origin like "redact.com.attacker.com" to bypass validation checking if the origin contains the legitimate domain, allowing credential-based requests to steal user account data.
Researcher demonstrates escalation of a subdomain takeover on impact.postmates.com (GitHub pages vulnerability) into session cookie theft by leveraging document.domain relaxation in the parent domain postmates.com, enabling account takeover despite the subdomain being out-of-scope. The technique exploits the fact that if the main domain explicitly sets document.domain, a compromised subdomain can set it to match and access sensitive cookies via JavaScript.
A reflected/stored XSS vulnerability in Ghost CMS's /ghost/api/v0.1/settings/ API endpoint affecting logo, cover_image, ghost_head, and ghost_foot parameters. While requiring authenticated admin/owner access, the vulnerability persists across multiple versions (1.24.9 through at least 2.2.0) and executes payloads on every page of the website.