This was a fun authorization check bypass because when checking if higher privileges were needed the flag value was checked for equality with the two privileged actions.Later on however, when deciding what handler to use to handle to request, it used a bitwise operation to check if the specific bit is set…
Three hard to exploit (beyond denial of service) out-of-bounds read vulnerabilities in MIT Kerberos V5 but each with a bit of an interest cause.
Effectively, a double-fetch vulnerability in Intel SMM’s SMI handler that could allow a local attacker to escelate into System manage Mode.It recieves a CommBuffer that contains a Data pointer and a size value…
When using the ssrfFilter library in conjunction with the Request library in JavaScript there is a bug that can result in the SSRF filter being disabled.The way the anti-SSRF library, ssrfFilter works is that is creates its own object that cna be used in=place of Node’s default request agent for http/http requests…
Three vulns in Apollo Configuration Management System (two of which were recognized as CVEs).The first vuln (which isn’t acknowledged by the vendor) is a Spring Expression Language (SpEL) issue where various settings are merged with spring framework properties, allowing SpEL injection for RCE…
A few vulnerabilities in Azure Web Services via Kudu Git repo manager used for git deployments.Kudu exports a source control management (SCM) portal that can be accessed if you’re authenticated into the instance through Azure Active Directory (AAD), which allows you to manage your web app…
Solid post document some of the practical aspects of pulling off this attack, but the root issue was a change in Android’s parcel API, without going into details about parcels you can think about this as similar to just opening a file.You usually need to provide a mode, like w for write, or r for read access…
Yet another case of bad syncronization or just performing operations in the wrong order.IIn this case ene_remove called when removing the device, will remove its internal allocations and everything before it actually unregisters the device…
A type-confusion happens in during the initialization of TUN/TAP sockets that leads to the UID being fixed to 0.The root cause of this bug is in the incorrect assumption made by sock_init_data() regarding the struct socket input…
Two vulnerabilities in the TPM 2.0 reference implementation’s CryptParameterDecryption().The Trusted Platform Module (TPM) is used for key storage, key generation, and attestation via storing and taking “measurements” (integrity checks) in the boot process…