Vulnerabilities tagged "vulnerability"

The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc's DICOM server. The vulnerability is a natural consequence of two features:

An object type confusion was discovered in the Microsoft Kernel Streaming Server (`mskssrv.sys`), which is used for virtualizing camera devices and allowing multiple applications to access camera streams.The driver uses two main object types for allowing userspace to acquire a context and send/receive data, a `context` and a `stream`...

Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine.IN this case though the impact was easier to spot because the program processing the output logs was part of the same application...

An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed.This reminds me a bit of deserialization attacks, but in this case you've got the Xwork2 framework providing a `SafeParametersInterceptor` class...

Post from Man Yue Mo at GitHub Security Lab on an RCE in Chrome due to a bug in Chrome's JIT compiler (TurboFan).As a bit of background, modern browsers will often compile code/functions that are deemed as 'hotpaths' (aka executed a lot)...

A buffer overflow vulnerability was introduced in a 2021 patch to glibc's dynamic loader when processing `GLIBC_TUNABLES` environment variables.Tunables are basically configuration settings of the runtime that can be set via key/value pairs in the form of `key=val`...

A rather complex-bug to trigger that was found being exploited in the wild against libwebp's VP8L compression and was reachable through an iMessage.

Writeup for exploiting an io_uring bug submitted to kCTF (before io_uring was disabled in kCTF).The vulnerability itself was extremely straightforward and was in the handling for `IORING_OP_MSG_RING` command for signaling another ring...

A fairly simple processing bug in WinRAR resulting in code execution with benign seeming interaction with an archive; unfortunately this one was seen being exploited in the wild to spread malware.

Awesome abuse of an Regex DoS to bypass a security check in MyBB resulting in an RCE.