Reflected XSS vulnerability in Avast Desktop AntiVirus (and AVG) via unsanitized SSID name reflection in the Firewall's Network Notification feature popup, allowing attackers to execute arbitrary JavaScript through a malicious wireless network name. The vulnerability was discovered by connecting to a tethering connection with an XSS payload SSID and triggered when the notification feature displayed the network name without proper input filtering, earning a $5,000 bounty.
A developer's PostgreSQL instance running in Docker was publicly exposed with default credentials (postgres:postgres), allowing an automated attacker to delete the database and demand ransom. The root causes were Docker's default port binding behavior, missing firewall rules, and default credentials left unchanged.