JavaScript execution in the Administrator's authenticated origin on a marketplace package view plus one hover/click/focus, no install needed. Theft of the kernel API token (conf.api.token), which ...
The list below isn't meant to be exclusive, it's more so a collection of links that have helped me out along the way (and can hopefully help you). As you'll see, I've focused on JavaScript, React, and ...