A CORS misconfiguration vulnerability where the server's origin validation logic uses flawed regex/string matching that accepts malformed origin headers (e.g., 'private1com' instead of 'private.com'), allowing an attacker to register a lookalike domain and exfiltrate credentials and private information via a crafted CORS-enabled request.
Multiple DOM-based XSS vulnerabilities discovered in iframe buster implementations from major ad tech vendors (Adform, Eyeblaster, Adtech) due to weak regex and whitelist validation on user-controlled parameters, allowing attackers to inject arbitrary JavaScript on top-tier publisher sites.
A persistent XSS vulnerability was discovered in AH.nl's avatar upload feature where user input was not properly sanitized, allowing attackers to inject malicious JavaScript that would execute for all site visitors viewing the attacker's profile. The exploit bypassed firewall filters using obfuscation techniques like 'onerroronerror==' and leveraged jQuery's getScript() to load external malicious code for cookie theft and phishing attacks.
An XSS vulnerability on Flickr's mobile site (m.flickr.com) was exploited by bypassing a regex-based URL validation check that failed to anchor to the start of the string, allowing an attacker to inject external URLs containing 'm.flickr.com' which were then loaded via CORS and executed as JavaScript through innerHTML.