One episode and several failed attempts to fix vulnerabilities, an interesting Rocket.Chat XSS and an exploitable TXT file abusing some weird features.
[00:00:46] nOtWASP bottom 10: vulnerabilities that make you cry
https://portswigger.net/research/notwasp-bottom-10-vulnerabilities-that-make-you-cry
[00:07:28] Click here for free TV! - Chaining bugs to takeover Wind Vision accounts
https://labs.f-secure.com/blog/wind-vision-writeup/
[00:15:28] Elevate Yourself to Admin in Umbraco CMS 8.9.0 (CVE-2020-29454)
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/elevate-yourself-to-admin-in-umb-cms-890-cve-2020-29454/
[00:23:19] "netmask" npm package vulnerable to octal input data [CVE-2021-28918]
https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
[00:28:38] [HackerOne] Jira integration plugin Leaked JWT
https://hackerone.com/reports/1103582
[00:33:20] [Kaspersky] A vulnerability in KAVKIS 2020 products family allows full disabling of protection
https://hackerone.com/reports/870615
[00:38:06] [Rocket.Chat] Account takeover via XSS
https://hackerone.com/reports/735638
[00:43:18] This man thought opening a TXT file is fine, he thought wrong. macOS [CVE-2019-8761]
https://www.paulosyibelo.com/2021/04/this-man-thought-opening-txt-file-is.html
[00:52:41] Who Contains the Containers?
https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html
[01:06:11] Getting Code Execution on Apache Druid [CVE-2021-25646]
https://www.thezdi.com/blog/2021/3/25/cve-2021-25646-getting-code-execution-on-apache-druid
[01:12:59] Security Analysis of AMD Predictive Store Forwarding
https://www.amd.com/system/files/documents/security-analysis-predictive-store-forwarding.pdf
[01:19:58] Pluralsight free for April
https://www.pluralsight.com/
[01:21:54] Pwn2Own 2021
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST)
Or the video archive on Youtube (@dayzerosec)
![Day[0]](https://is1-ssl.mzstatic.com/image/thumb/Podcasts125/v4/a6/69/69/a6696919-3987-fbc0-8e0c-1ba0e1349a2b/mza_6631746544165345331.jpg/300x300bb-75.jpg)