resolved
Bypass "No Links" Restriction in Biography via Protocol-Relative URL (//)
Bug reported by _dha was disclosed at July 29, 2025, 2:43 pm | Improper Input Validation
The report identifies a bypass vulnerability in the biography field on addons.allizom.org. Despite the application's policy against allowing links, it was possible to embed functional hyperlinks using protocol-relative URLs (//evil.com). This violation of the declared application policy was achieved by including an tag with the protocol-relative URL.
resolved
Mozilla VPN Clients: RCE via file write and path traversal
Bug reported by Rein Daelman was disclosed at July 29, 2025, 9:53 am | Path Traversal
The report describes a path traversal vulnerability in the Mozilla VPN client software that allowed for remote code execution. The vulnerability was found in the "live_reload" command of the client's inspector feature, which could be accessed when the client was in developer mode with "Use Staging Servers" enabled. The vulnerable code in the InspectorHotreloader::fetchAndAnnounce() function failed to properly sanitize file paths when downloading remote files to a temporary folder, enabling attackers to write arbitrary files to any location on the filesystem.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
