Bit of a logic bug/abuse resulting in the ability to write files with semi-controlled content in any directory regardless of privileges. Under normal circumstances when a suid binary crashes, it will be considered non-dumpable, more generally speaking, when a process has a difference between its real and effective group or user ids it will not be dumped.
There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.
Ignoring plenty of nuance, `tiocspgrp` (TTY IOCTL Set Process Group) would grab the wrong lock.Pseudoterminals (pty) have a master and a slave device, both of which are controlled by userland and can have ioctls called on them...
A logic bug in the Chrome garbage collector was discovered which could cause use-after-free. The garbage collector (GC) is a monolithic and complex component of the browser, and some background knowledge is needed to appreciate the issue.
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...
The gist here is that One-Time-Password brute-force prevention was based on IPs, so using IP rotation could get around that.
Reddit had an issue in associating transactions and order information.If you initiated a coin purchase for say $1.99, the order will be created and the order ID can be obtained...
A simple bug in how MySQL deals with the `e` scientific notiation for numbers (1.1e5 for 110000 as an example) could be abused to bypass various Web-Application Firewalls (WAF).The bug being that the lack of any number following the `e` would result in the term being stripped from the query and nothing being put in its place...
Amazingly simple issue as far as browser bugs go.The `removeFromFacesLookupTable` method in the `CSSFontFaceSet` class failed to properly check if they reached the end of the table when looking up a font...
When the `DOMWindow::open` method receives a frame name of `_top` or `_parent`, they're treated as special cases which get an immediate scheduling for a location change.The `scheduleLocationChange` function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it'll run synchronously and fire a `popstate` event...