Vulnerabilities tagged "vuln"

Don't trust comments

Really straight forward bug, `NimForums` uses the rather feature-full Restructured Text (RST) format for its user-generated content, which has an `include` directive that can be used to include local files. What is atleast slightly interesting here is that the code authors seemed aware of the potential vulnerabilities and included a couple comments in relevant code:
 

[Omise] XSS via X-Forwarded-Host header

Exactly as the title puts it, cross-site scripting through content injected from the `X-Forwarded-Host` header. Its interesting that this one was paid out as without some other issue like cache poisoning it would be impossible as far I am aware to exploit this as you cannot control the headers of a random user's requests.
 

Disclosing updates on Microsoft's Vulnerability Reports

Just send an email pretending to be part of another report and the system will make you part of it.Its really that simple, sending an email using your the email associated with your Researcher portal account with the subject `VULN-`will get that email added to the report and be copied on future updates...
 

Bypassing Little Snitch Firewall with Empty TCP Packets

Little Snitch might block connections to some IPs, but only if they send data. Just opening the connection but not sending data is a fun way to get around the blacklist, and while significantly slower, one can still exfiltrate information using only a data-less connection.
 

Authentication Bypass on Zoho ManageEngine Desktop Central

This is almost an intended feature, basically if an attacker can craft a their own State cookie, they can trick the `StateFilter` into reading the `forwardPath` and forwarding their request to another servlet directly. The interesting side-effect here is that the redirect will bypass any other filters left in the chain and go directly to the other servlet.
 

Zooming in on Zero-click Exploits

Two vulnerabilities in Zoom, a buffer overflow that affected Multi-Media Routers (MMR) servers and client, and an infoleak that only affected MMR servers. Both issues were found in various `load_from()` methods for serialization classes used in Real-time Transport Protocol (RTP) for audio/video content.
 

XNU kernel use-after-free in mach_msg

Use-after-free in the `ipc_port` subsystem of XNU, specifically the `ipc_port_copy_send()` function.This function would try to copy and send data on an IPC port, and attempts to account for a bunch of edge-cases on the state of the port...