Here, we have a case of one function returning a pointer to a caller, but expecting to retain ownership over that pointer; the caller, thinking it has ownership, frees it; and by calling the same function multiple times the same pointer gets freed multiple times.
Not all SSRF vulnerabilities are equal, a common mitigation is to limit the locations that can be accessed; in the case of WebSphere Portal, this is exactly what was found, yet it could still be exploited.
Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to `nodeIntegration` being enabled).
Polygon places the blame for this bug on not checking that the `from` address in a transfer actually has the balance to cover the transfer in the first-place.While I don't doubt that as a core issue it feels like that may only be part of the issue, the other part being a lack of error checking, or perhaps improper error handling...
**tl;dr** There are two key issues with Flickr's use of AWS Cognito for their authentication, first, is that only the `sub` attribute is guaranteed to be unique and should be used to identify users, second is that the `access_token` provided can be used to modify user attributes. These issues can be chained to modify the `email` attribute (which is the attribute Flickr is using to identify accounts) and have one Cognito account map to another user's Flickr account.
Basic idea here is that you could mount unintended paths due to embeding null-bytes in acceptable mount and generally improper handling of null-bytes within a mount source.While Go does not provide any special handling for strings containing null bytes, the `send_mountsources` written in C just iterates over the provided message mounting every null-terminated substring and passes the resultant fds to the child...
This is straight forward, yet subtle bug, basically taking a reference to a file while it is actively being deleted leading to a use after free despite holding onto a reference.
This is a interesting primitive, an unsigned 32bit integer can mistakenly be kept unsigned after it is supposedly converted to a signed 64bit integer and passed in somewhere expecting a signed value.
There is an argument injection within the `ms-officemd` URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the `--gpu-launcher` argument for arbitrary command injection without any hassle.
Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a "no-code" application generator.One feature is that a web-hook can be executed in respond to supported events...
If you log untrusted data using log4j...you might have an RCE.I wasn't able to find a good root cause of this bug but the issue itself is pretty readily understood...
Three vulnerabilities found in MediaTek's audio Digital Signal Processor (DSP) firmware.They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the `/dev/audio_ipi` driver)...
A surprisingly simple bug in a well-fuzzed cryptographic library from Mozilla leading to an easy stack overflow in RSA-PSS code (vulnerability exists elsewhere also).
Exploitation of the TIPC heap overflow bug based on a keylength being used in a `memcpy()` call before it was validated.Two objects are used in combination with the overflow to achieve code execution...
There are two things at play with this vulnerability, first is the Symfony has support for `trusted_headers` to indicate which headers the framework is okay to trust, and recently support for the `X-Forwarded-Prefix` header was added and could be used regardless of whether or not it was in `trusted_headers` list.This could create a situation where cache poisoning would be possible as a request could be treated differently on the application trusting an untrusted header...