A combination of login CSRF and HTTP Referer header-based open redirect in Airbnb's OAuth flow allowed attackers to steal OAuth access tokens from identity providers (Facebook/Google) and achieve authentication bypass on both web and mobile applications. The attack exploited the fact that Airbnb's /oauth_callback endpoint used the unvalidated HTTP Referer header for post-login redirection, combined with the ability to request access tokens via URL fragments instead of parameters.
A technique to escalate self-XSS in Moodle into full XSS against arbitrary users by exploiting double session cookies with different paths combined with login CSRF or impersonation functionality, allowing arbitrary JavaScript execution in victim context for full account compromise.