A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service's `GetFile`handler would check for an `/api` and `/image` slug, and if neither were present it would fall back on trying to construct a filename...
A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).
Simple enough vulnerable, a POST parameter was directly unserialized, which would often be pretty damning, but vBulletin apparently had put in some effort to make it hard to exploit.
A bit of research on leaking access tokens from OAuth2/OIDC flows, in all cases you already need a cross-site scripting vulnerability to exist on the host recieving the callback, it does present an interesting case of escalating two often unimportant issues, a self-XSS and a Login CSRF, into an account takeover though.
The last time we covered a "how to exploit a null-deref in the modern era" post we were...disappointed (and potentially attacked by North Korea but that's another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.
A cool bug that can inject a new user with controlled SSH key into a compute instance and the request doing this can be reached via a GET request with no anti-CSRF token.
A trivial out of bounds access in the iPod nano 3rd-5th generation's USB stack in the bootROM.The `USB::HandlePendingSetup()` handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the `bmRequestType`...
Some funny vulns in an undisclosed forum's "teams" feature where users could create their own teams and request to join others as different roles.Users could request to join a team as any non-admin role, and a team admin could accept the request...
**tl;dr** Android Parcels have their own memory pool rather than being free'd all the way back to the general Java memory pool. This custom memory management, combined with a bug resulting in a dangling reference in a Parcel to an older version of the parcel creates a "use-after-free" like situation
A post by project zero on a vuln in a new library used for DER entitlements.Entitlements are Apple's fine-grained permission system and essentially define what capabilities an app or service has...
A fairly complex exploit of a use-after-free in netfilter.The vuln is detailed more in other posts linked off by exodus, but effectively the bug is a lifetime issue with netfilter sets that don't have the `NFT_EXPR_STATEFUL` flag set but contain a reference to another set (such as `lookup` and `dynset` expressions)...
An out-of-bounds read/write in FreeBSD's bhyve hypervisor.The vulnerability here is in the E82545 gigabit ethernet controller's emulator, specifically `e82545_transmit()`...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.