Vulnerabilities (Page 2)

Integer Truncation in Java's XML Signature Verification

The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the constant_pool_count in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.


A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

An in-the-wild exploit chain was discovered that exploits three vulnerabilities in Samsung exynos devices running kernel 4.14.113. It consisted of one userland exploit in Samsung’s custom clipboard provider, a kernel infoleak through their sec_log functionality, and finally a UAF in the Display Processing Unit (DPU) driver.


SSRF in Next.JS Image Optimizer (Netlify IPX)

A cool look at finding a vulnerability on a statically generated website, due to the presence of an image optimizer running as a serverless function.The Netlify IPX would normally validate image urls before fetching them to ensure the host is whitelisted (none by default), however this whitelist is skipped when it believe the URL is a local URL, meaning it does not start with http