Vulnerabilities tagged "vuln"

**Vulnerability**

It is possible to bypass macOS's System Integrity Protection (SIP) through the `system_installd` daemon. This daemon has the `com.apple.rootless.install.heritable` entitlement which means that any process started by the daemon will not be protected by SIP.

The Chrome New Tab Page was vulnerable to a stored cross-site scripting attack in the search suggestion box.

Always a fun issue to see, the root of it being that a user-mode callback during a `ResetDC` (Reset Device Context) can unexpectedly tamper with the device context data that the kernel thinks will be stable.

A privilege escalation to root in PHP FPM from a worker process where the attacker has arbitrary memory read/write and has escaped the PHP sandbox.

Android's NFC stack uses `TCB` or which is assumed to stand for "task control blocks", which are used to track tasks that come from the NFC controller.The NFC specification supports a variety of formats for different types of NFC tags, and this tag type has to be tracked in the control block...

When purchasing coins for Reddit on Android there is a call to a `/verify_purchase` endpoint which is vulnerable to a race condition.The idea being that this endpoint, being provided some of the transaction information would validate it and give the coins to the purchaser, however there is a problem when handling multiple concurrent requests to endpoint...

An unauthenticated file read in GoCD's Business Continuity Addon (installed and enabled by default) due to change in configuration that that exposed the add-on to unauthenticated users.

Mermaid is a markdown-like syntax for generating flowcharts and is supported by GitLab's markdown parser.The Mermaid parser itself can be provided various configuration options at initialization time, and then some of those can be overloaded by inline directives...

Discourse exposes a webhook that takes a user-provided "subscribe URL" and passes it into `open()` unsanitized.Due to Discourse being written in Ruby, it's possible to get command execution via the subscribe URL by way of the pipeline operator...