The primitive in play here is a handle duplication attack, and basically the LogMeIn device driver has an IOCTL that will temporarily duplicate a handle specified by the caller (attacker). Along with allowing users to open the device with PROCESS_DUP_HANDLE one can open the device and then try to duplicate the newly created handle before it gets closed to continue to hold a reference to a privileged handle and use that for an elevation of privilege.
An arbitrary file leak (restricted read) in Jenkins that can be used to leak sensitive information in some scenarios.Ultimately the vulnerability comes from Jenkins’ use of args4j, a small but well known Java library for parsing command line arguments…
We have an unnamed dashboard application here that allows users to specify objects that will be rendered into the dashboard through JSON blobs.Users can provide dashboard templates in the form of a JSON blob, including an item array of which items to render…
Two cross-site scripting vulnerabilities stemming from the handling of clipboard data in Excalidraw and Microsoft Whiteboard. One allows straight forward exploitation, where as the other has a bit of an iframe trick to it.
This one comes down to a normalization difference between Cloudflare’s CDN and the ChatGPT backend server.The Cloudflare CDN was setup to cache all requests under the /share/ endpoint, and the determination of whether a path matches would happen before any percent-encoded characters were decoded…
Format string bugs, you’d think we’d be done with them by now, but Shielder here documents one in ASUS routers.
Qualys at it again this time with a skipped initialization code path leading to a small allocation and a buffer overflow deep in glibc’s syslog.
Its long been a classic to abuse accidentally exposed file-descriptors through /proc/self/fds to break out of sandboxes, so its kinda fun to see a similar sort of bug impacting Docker. and enabling a container break-out either at run-time or during build time.
Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
The issue itself is fairly easy to describe, Meta found that of 14 reputable brands seven had releases where one or more preinstalled APEX modules (privileged OS code) were signed using only the test keys that are publicly available in the Android Open Source Project (AOSP) repository.