A bug bounty hunter discovered an information disclosure vulnerability in an enrollment portal where sensitive PII (last 4 SSN digits, account numbers, and verification answers) was exposed through missing rate limiting and HTML comments in the page source code, allowing account verification bypass.
A detailed walkthrough of discovering a critical SQL injection vulnerability (CVE-2019-17602) in Zoho OpManager through white-box analysis by decompiling JAR files, analyzing web.xml servlet mappings, and tracing control flow to identify unsafe dynamic SQL query construction in the getAllMOs method. The vulnerability allows authenticated remote code execution via stacked queries and PostgreSQL UDF commands.
A reflected XSS vulnerability was discovered on photos.shopify.com where arbitrary parameters were reflected in img tags without sanitization, allowing execution of JavaScript payloads via the pid parameter and other hidden parameters.