Kernel bug in KCodes' NetUSB kernel module, which is used by various network device vendors for routers and such.The vulnerability is in the `dispatchNormalEPMsgOut()` handler for an unlabelled command of `0x805f`...
Integer underflow in `fs_context.c`'s `legacy_parse_param()` function which was introduced in v5.1.When bounds checking the provided options length, they compare it with `system page size - 2 - context data size`...
The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it's used.AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure...
While the hostnames were being validated for this vulnerability, injecting a `@` into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the `@` is just credentials.
The gist of this is that an attack can use their own Time-based One-Time-Password (TOTP) code on another user's account.
Combination of a local file inclusion bug and a file write bug.Firstly, the `user/loader.php` and `/user/index.php` pages had some interesting code where it would take a `scripts` GET parameter to construct an include path in PHP...
The inital vulnerability here is an unbounded `sscanf` into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world...
Basic idea is that the identifier pulled out of a message can point to a different handler between the initial check to redirect the message to the proper "sequence" and that sequence finding the proper endpoint/handler for it.
An integer overflow in Adobe Reader's parsing of gesture coordinates.
The logout endpoint provided by the Shibboleth plugin for an Identity Provider to log a user out of services had an odd way of finding the right sessions to destroy that lead to the request originator being logged into another seemingly random account.