Sometimes vulnerabilities come from trying to be too generic/handle all the possibilities, this is one of those situations.What you have the Spring Framework letting users write simple Java classes with fields, getters/setters and setting those up as models for a particular endpoint...
This is a weird one, but easily understood; when using OmniAuth as the authentication provider (for like OAuth, LDAP, or SAML login) a hardcoded password would be associated with the account.
An out of bounds access bug in the netatalk open source library for the Apple Filing Protocol (AFP) that could be exploited on WD PR4100 NAS for pre-auth RCE.The bug happens when parsing resource fork file headers, which can be reached through the `afp_openfork` handler over AFP or SMB without authentication...
The vulnerability here is a fairly straightforward overflow in the esp6 crypto module.When receiving messages, an 8-page buffer is allocated for the incoming data, but it's possible for messages to be sent that exceed 8 pages in size...
Two issues, the first simply being that the update check would make an HTTPS request but not validate the certificate, enabling some attack surface for a Man-in-the-Middle, second was in parsing the file downloaded a checksum would be copied from the file into a fixed size stack buffer. As an attacker can control the response file, the attack can overflow the stack buffer.
Cool trick impacting php's `filter_var` which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to `filter_var`eventually some code for (`FILTER_VALIDATE_DOMAIN` and `FILTER_FLAG_HOSTNAME`) will mistakenly believe the size is much smaller than it actually is (negative).
The bulk import API when importing a group would, if the group had any uploads, download the `uploads.tar.gz` and extract it including any symlinks. When the extracted files are later listed, viewing any of the symlinked files will result in the symlink being followed and arbitrary files being read from outside the upload directory.
A directory traversal issue, the root of it is a flawed regex and replace: `#(/)[^\/]+/\.\./#`.This regex will match on `directory/../` and once matched its replaced with the first match group (`/`)...
I'm not even too sure why this one works, but basically by changing the JSON object sent in results in being able to login in as (presumably) arbitrary accounts.
Two logic bugs that cause memory corruption in the handling of TLS packets due to unhandled error / return values when using the nanoSSL library, and a higher level design flaw with the firmware update system.
We have [previously](https://dayzerosec.com/vulns/2022/03/02/linux-kernel-heap-out-of-bounds-write-in-nfdupnetdevc-since-54.html) covered this bug, its an out-of-bounds access due to a broken assumption in every `dup` command having an associated immediate. When that assumption is broken by manually crafting netfilter rules `nft_fwd_dup_netdev_offload` function will perform an out of bounds access as it increments too far.
Out of bounds read in Chrome's PDFium Engine in the `RequestThumbnail()` method.The `page_index` parameter is used to index into a vector of pages to call that page's `RequestThumbnail()` callback, however the `page_index` isn't validated in production builds...
Trivial instance of client-sided validation, in this case to enforce a timeout they were using the device's time. So by changing the time on the device you can make more attempts at the pin.
A chain of issues going from an XSS to a remote file download in a server-side PDF renderer, leading to remote-code execution.The XSS initally seemed a bit weak as the application had no secrets or even authentication so attacking other users would not provide much gain...