12 CVEs, a few fundamental design issues, and some implementation issues.The implementation issues generally just removed some restrictions on abusing the design flaws making them more practical...
Kind of a neat attack to track users across browsers.Potentially fairly loud for most users though...
Interesting post that covers a bit about the meta of bug-hunting in Source Engine games and some how-to information. There are two OOB read vulnerabilities used in the chain.
Two vulnerabilities.Firstly the `SCM_RUN_FROM_PACKAGE` environment var within the Azure Function container contained a “Shared Access Signature” (SAS) that was scoped for r/w...
Base issue is that when handling a file upload (two locations do this) the buffer is allocated based on Content-Length, but the memcpy is based on the actual payload length. Creating a heap overflow.
Two stage attack to fully takeover a facebook account.
**tl;dr** Cleverly crafting a packet with a large header+options length could cause a null dereference. The net buffer would be created with DataSize=uint16_t(length), but it would attempt to read with size=length (no truncation), which would result in an error case and a null return.