Silly vulnerability where the assert statement was written backwards, so the function only “worked” if the uVlanId value was out of bounds. Of course leading to out-of-bounds bit setting in the next bit of code.
This was a really cool XSS filter bypass due to a parsing differential between PHP’s multibyte string functions: mb_strpos and mb_substr when dealing with invalid UTF-8 sequences.
Three deserialization related issues, two stemming from core of Lucee, and one in Mura a CMS built on Lucee.Lucee is a ColdFusion Markup Language based scripting language the runs on the JVM (Java Virtual Machine) and is intended for the development of web applications…
A rather simple Chrome permission bypass.Basically chrome.pageCapture.saveAsMHTML() shouldn’t be able to save pages it doesn’t have the permissions to read like pages belonging to another extension or chrome pages…
Just another caching issue, this time we’ve got a GraphQL API that is being used to serve some static files/content.Those requests that should be cached include a reqIdentifier parameter in the URL that acts as the cache key…
A common code pattern for double free (and other issues) is incorrect life-time management along error paths.Sometimes this will result in use-after-frees but in this case its a double free…
A traditional unbounded strcpy, this one is a bit fun because its happening as a server you are connecting to printing a vulnerable ANSI escape code and arguments.
XSS delivered via profile image upload of an SVG containing the XSS.Fairly common situation where SVG support allows XSS because the SVG’s scripts are not sanitized but also one we have basically never talked about on the podcast…
A pretty classic command injection vulnerability but in ClamAV.Often seen (in my experience) running on mail-servers to scan incoming email attachments…
The Mediatek wlan driver on Android has several files exposed under the /proc virtual filesystem.Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer…
The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with PROCESS_DUP_HANDLE one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.
An arbitrary file leak (restricted read) in Jenkins that can be used to leak sensitive information in some scenarios.Ultimately the vulnerability comes from Jenkins’ use of args4j, a small but well known Java library for parsing command line arguments…
We have an unnamed dashboard application here that allows users to specify objects that will be rendered into the dashboard through JSON blobs.Users can provide dashboard templates in the form of a JSON blob, including an item array of which items to render…
Two cross-site scripting vulnerabilities stemming from the handling of clipboard data in Excalidraw and Microsoft Whiteboard. One allows straight forward exploitation, where as the other has a bit of an iframe trick to it.
This one comes down to a normalization difference between Cloudflare’s CDN and the ChatGPT backend server.The Cloudflare CDN was setup to cache all requests under the /share/ endpoint, and the determination of whether a path matches would happen before any percent-encoded characters were decoded…