A use-after-free in `AddIceCandidate()` for adding Interactive Connection Establishment candidates when starting a WebRTC session.The problem is, it's possible to setup a `Promise` that can call `setLocalDescription()`, which will mark part of the local description memory for collection by the garbage collector...
Three vulnerabilities in Qualcomm's Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn't on most other devices.
Root issue is that WebKit violates the specification for Content-Security-Policy (CSP) violation reports, leaking the destination of a violating redirect rather than the origin in the `documentURI` field of the report.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
Leaving out many of the specifics about how Azure Sphere devices work.Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand...
Out of bounds access in the `GPIO_SET_PIN_CONFIG_IOCTL` leading to information disclosure.When parsing the `lineoffsets` field from the `gpiopin_request` object, there's no bounds checking on it before it's used as an index into an array of descriptions to get a `desc` pointer...
Even if a Shopify blog was private and required a password the post titles and preview of content would be published in the globally accessible atom feed
Stark Bank maintains two libraries "starkbank-ecdsa" one for Python and one for Node which insecurely implement the ECDSA signature verification method. The issue stems from two problems:
Great little bug taking advantage of the ability to manage GSuite users directly from within `domains.google.com` by trusted the Gsuite organization name and ID from the user request. By changing out the organization's domain and id (does require knowing the target organization numeric id) in the requests `domains.google.com` makes when adding a new user, the user will be added to the new domain rather than to the one you actually own.
A relatively trivial heap overflow in the Transparent Inter-Process Communication (TIPC) module of the kernel.The `crypto_key_rcv` function in the driver takes a received packet and parses it for key data...
Multiple vulnerabilities in the Trusted Application, `tzdemuxerservice` used by Samsung Smart TVs, five of the six issues have the same root cause.When a "normal world" application is calling into the "trusted execution environment" (TEE) the parameters can be passed as either by value or by reference...
Gerbv uses a fixed size array to store `gerbv_aperture_t` structures but is indexed by an unrestricted integer providing an out-of-bounds read and write. This array is indexed through an attacker controlled value `tool_num`, while the value is checked against the MIN and MAX values for the array, being out-of-bounds only results in an error message.
Heap overflow in the AMD GPU driver's debugfs write handler for display port test patterns.The driver allocates a 100 byte write buffer to copy data into, but uses the debugfs handler's size parameter for the actual copy...
StreamLabs would normally only redirect to a set of whitelisted domains approved to recieve the `access_token`.The author here put some effort into discovering what domains were approved, and found `http://dragynslair.live` was whitelisted, but no longer registered...