A very easy stack overflow in the Okage Shadow King PS2 game.The profile name was copied into a stack buffer without bounds checking, allowing a stack overflow of the profile name to corrupt the return pointer on the stack…
A path traversal type issue in Kardex MLOG due to not properly handling windows path separators.The service’s GetFile
handler would check for an /api
and /image
slug, and if neither were present it would fall back on trying to construct a filename…
A small bug in processing/validating the entries in the Merkel tree resulting in the theft of 2 million BNB ($586 Million USD at time of the original theft).
A 19-year-old bug in XNUs Data Link Interface Layer or DLIL that lead to an out-of-bounds write on the heap.The root cause is that ifnet_attach()
will get the next interface index
as a 32-bit integer and downcast it to a uint16_t
when saving the index…
Out of bounds read in cmark-gfm
due to a lack of bounds check in validate_protocol
.
A heap overflow that was found in-the-wild by Google’s Threat Analysis Group (TAG) in Chrome. This bug was in the texture subsystem for webGL GLES with textures created from a shared image, which bypasses the texture manager’s tracking of the max_levels
for mipmaps.
Simple enough vulnerable, a POST parameter was directly unserialized, which would often be pretty damning, but vBulletin apparently had put in some effort to make it hard to exploit.
A bit of research on leaking access tokens from OAuth2/OIDC flows, in all cases you already need a cross-site scripting vulnerability to exist on the host recieving the callback, it does present an interesting case of escalating two often unimportant issues, a self-XSS and a Login CSRF, into an account takeover though.
DOM-based XSS in Facebook via Instant Games (a newer feature being gradually rolled out).The vulnerability here is in the goURIOnWindow
function which is used for supplying the window location and verifying it…
Simple token leakage bug in Oculus endpoints due to migration from using Facebook accounts to Meta accounts.Where the first party access token was previously difficult to leak due to redirects being made through JavaScript, with the new meta authentication flow, redirection was done directly via URL with the token…