Blogpost by Microsoft that details a few vulnerabilities in the `networkd-dispatcher` component in `systemd` which can be chained for LPE.When looking at the code flow, they noticed it would register a signal receiver on the system bus, and the handler would receive a `state` path followed by some data...
An uninitialized pointer is freed by proving a malformed IOCA file with a `size_Y` of zero.What happens normally is that there is an initialization routine that iterates from `size_Y` to 0...
By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare's WAF...
Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a "feature" because the developers thought it was crashing on that point so disabled it to let the user continue to use the application...
Hard-coded crednetials strike again, enabled a couple Server Side Request Forgeries as the URL to be requested was inside an encrypted, but user-provided URL parameter.Within the application there were a couple endpoints that would take a `Url` parameter...
Container escape within GitLab CI Runners abusing cgroup's `release_agent` functionality as CI jobs are allowed to mount file-systems.The `release_agent` is a script that will be executed when a cgroup heirachy becomes empty...
Probably as easy of a 2FA bypass as I've seen, effectively if the account had 2FA the second stage of the password reset form would submit to `/reset2fa` and if there was no 2FA registered for the account, it would submit to `/reset` so the attack was just to modify the submission to point to `/reset` instead of `/reset2fa` and it wouldn't prompt for the 2FA token.
With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using `FOPEN_DIRECT_IO` in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process...
Java's implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.
For some `UIBean` tags the `name` field was vulnerable to a double OGNL evaluation when there was no corresponding `value` field which could lead to remote code execution.