Ayoub ELMOKHTARSenior Offensive Security Engineer — vulnerability research and security writeups.https://ayoubmokhtar.com/CVE-2024-34716 – The Deceptive PNG Trap: Breaking Down the PNG-Driven Chain from XSS to Remote Code Execution on PrestaShop (<=8.1.5)https://ayoubmokhtar.com/post/png_driven_chain_xss_to_remote_code_execution_prestashop_8.1.5_cve-2024-34716/https://ayoubmokhtar.com/post/png_driven_chain_xss_to_remote_code_execution_prestashop_8.1.5_cve-2024-34716/A chained XSS-to-RCE vulnerability in PrestaShop (<=8.1.5) exploiting improper file handling to achieve remote code execution via a malicious PNG attachment.Fri, 12 Apr 2024 00:00:00 GMTCVE-2024-3116 – Remote Code Execution Vulnerability in pgAdmin - PostgreSQL Tools (<=8.4): Detailed Analysis Reporthttps://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/A critical RCE vulnerability in pgAdmin (<=8.4) caused by inadequate validation of file paths, enabling unauthorized code execution on Windows platforms.Sun, 31 Mar 2024 00:00:00 GMTCVE-2020-9915 – Failure to properly process form-action 'self' leads to CSP bypass in Safarihttps://ayoubmokhtar.com/post/csp-bypass-cve-2020-9915/https://ayoubmokhtar.com/post/csp-bypass-cve-2020-9915/Safari failed to enforce the CSP form-action 'self' directive, allowing CSRF token exfiltration to attacker-controlled servers.Sat, 18 Sep 2021 00:00:00 GMTI could've deleted all SMC messages using Brute Force Technique – PayPalhttps://ayoubmokhtar.com/post/paypal-bbp-i-couldve-deleted-all-smc-messages-using-brute-force-technique/https://ayoubmokhtar.com/post/paypal-bbp-i-couldve-deleted-all-smc-messages-using-brute-force-technique/A CSRF vulnerability in PayPal's Message Center allowed brute-forcing message IDs to delete all messages in a victim's inbox without their knowledge.Mon, 23 Apr 2018 00:00:00 GMT