A Jenkins instance was found vulnerable to RCE due to improper access control, allowing unauthenticated users to gain admin access via GitHub OAuth and execute arbitrary Groovy scripts. The vulnerability was discovered during subdomain enumeration and responsibly disclosed to the organization's CTO.
A researcher discovered an unauthenticated Apache Solr instance running on a Microsoft subdomain vulnerable to CVE-2019-17558, exploitable via velocity template injection to achieve RCE. The attack requires modifying the params.Resource.Loader.Enabled configuration and then sending a malicious velocity template payload.
A subdomain takeover vulnerability was discovered on Starbucks where an unclaimed CNAME pointing to a non-existent Azure Traffic Manager subdomain (s00149tmppcrpt.trafficmanager.net) could be hijacked by registering the Traffic Manager profile without domain ownership verification. The researcher was awarded a $2,000 bounty for this finding.