A long chain of issues going from blind SSRF to new-line injection to a blind Livestatus Query Language (LQL) injection to arbitrary file deletion and finally a race condition leading to authentication bypass.
Off-by-one issue as the bounds check `if (written_out > max_out)` will continue for one extra iteration after it has written `max_out` number of integers.
An in-the-wild exploit chain was discovered that exploits three vulnerabilities in Samsung exynos devices running kernel 4.14.113. It consisted of one userland exploit in Samsung's custom clipboard provider, a kernel infoleak through their `sec_log` functionality, and finally a UAF in the Display Processing Unit (DPU) driver.
As the title says, some weird load balancers issues, core problem being that user-specific data would be cached and returned to other users.
When performing a BulkImport it is possible to provide a URL to`httpUrlToRepo` that will resolve to a repository on the local filesystem.
Funny bug in Task.org, which is an open source reminder and todo list tracking app.The vulnerability is lack of path validation in the ShareLinkActivity's `share` intent...
The problem starts in `remove_liquidity` where a contract can remove funds that they added. It will updated the `total_supply` and burn tokens, then in a loop for each coin it will decrement the `balances` and transfer them to the attacker's contract...
Facebook's SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the `next` url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as "self-corruptions".Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists...
At its core, a simple, yet odd Linux kernel issue, `__io_req_init_async` assumes that the new request (`req`) being submitted was submitted by its own worker, so it sets the `req->work.identity` to `current->io_uring`.