Kernel bug in KCodes' NetUSB kernel module, which is used by various network device vendors for routers and such.The vulnerability is in the `dispatchNormalEPMsgOut()` handler for an unlabelled command of `0x805f`...
Integer underflow in `fs_context.c`'s `legacy_parse_param()` function which was introduced in v5.1.When bounds checking the provided options length, they compare it with `system page size - 2 - context data size`...
The issue here is relatively simple despite the technical depth the authors go into on the crypto and how it's used.AES-128 keys are used to encrypt challenge codes for the authentication flow between NFC tags and the alarm system, but the way these AES-128 keys are generated is naive and insecure...
While the hostnames were being validated for this vulnerability, injecting a `@` into the path argument was sufficent to mislead the final URL parser and actual code making the HTTP request to go to an unapproved domain by tricking it into thinking the path is actually the host and everything before the `@` is just credentials.
Combination of a local file inclusion bug and a file write bug.Firstly, the `user/loader.php` and `/user/index.php` pages had some interesting code where it would take a `scripts` GET parameter to construct an include path in PHP...
The inital vulnerability here is an unbounded `sscanf` into a stack variable.In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world...
Basic idea is that the identifier pulled out of a message can point to a different handler between the initial check to redirect the message to the proper "sequence" and that sequence finding the proper endpoint/handler for it.
The logout endpoint provided by the Shibboleth plugin for an Identity Provider to log a user out of services had an odd way of finding the right sessions to destroy that lead to the request originator being logged into another seemingly random account.
Different URL parser may treat mistakes in the URL differently, leading to behaviour differences that can be used. This research paper focused on five potential areas where parses disagreed on how to understand the URL
This is one of those issues that is an obvious code-smell once you're aware of it, `inp_join_group` will release a lock, so that is can call another function that requires the same lock, and then take the lock back after the function has executed creating a window where another function can obtain the lock and free the pointer from under it.