Simple container escape compared to several we've covered in the past, the `sysctls` passed into the `pinns` utility are delimited by a `+` which can be maliciously included in a value to inject otherwise blocked `sysctls`. There is some minimal validation on the `sysctls` being passed in to ensure the keys don't match any sensitive keys, however an attacker can set a value to `+sensitive.key=othervalue` to smuggle in a blocked option.
Great bounty for a fairly simple bug, the `showSaveFilePicker`would allow JavaScript to provide options including a default filename, which could include `%envrionment% vars on Windows. The JavaScript could then access the name of the saved file in the resulting promise.
Yet another branch predictor bug was discovered by grsecurity when testing a performance optimization for Reuse Attack Protector (RAP) return hash sequences.RAP sequences have an unconditional jump, followed by a `movabs` instruction and some `int3` instructions for debugging purposes...
We have [previously discussed](https://dayzerosec.com/vulns/2021/09/29/iouring-vulnerability-resulting-in-freeing-wrong-kernel-buffer.html) this vulnerability, which provides a primitive to free adjacent memory.
An attack which extends upon branch target injection, which is an attack where you train the branch predictor on an indirect branch to speculatively execute a branch erroneously and side-channel the cache to leak data.One of the various mitigations introduced by Intel and ARM were Enhanced Indirect Branch Restricted Speculation (eIBRS) and CSV2 respectively...
A nice chain leading to unauthenticated RCE, a path traversal leading to server-side request forgery, used to hit the application's API from localhost and leak administrative credentials, then an unescaped argument in a privileged-off task for command injection.
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
The vulnerability here is just a straight forward case of reading a size from the attacker, and using it in a `memcpy` into a fixed size destination buffer on the stack.
Two Facebook Canvas issues enabling an attacker application to get privileged first-party API keys by pretending to be Instagram or another first-party application.
Abusing an otherwise secure call to `shell_exec`allows users to control part of the `sed` commands leading to code execution.One thing of note is that this is the FreeBSD version of `sed` which differs from the more common GNU version in that it doesn't include the commands to directly execute commands...
Permissive parsing strikes again, MySQLjs by would accept objects as values for a parameterized query with a somewhat surprising default behaviour. The key issue here though is that MySQLjs exposes an interface entirely like prepared statements, but is actually crafting the query on the client side rather than using server-side prepared statements.