On its own a pretty simple overflow.There exists a buffer for up to 32 elements to be read into, but the value that is used to determine how many elements to copy is not bounded and can be as high as 255…
Inspired by HTTPVoid’s February write-up about Hacking Google Drive Integrations. They took a bit deeper look at how HelloSign patched the SSRF documented.
A Transparency Consent and Control (TCC) bypass in macOS.TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such…
Funny bug in Glovo, which is a delivery platform for taking orders and dispatching deliveries.The bug is an integer overflow in the quantity parameter of the POST request for the order, which can affect the total price of the order…
Bug comes from GitLab’s use of Rails UJS (Unobtrusive JavaScript).While known data-* attributes like data-url and data-method are stripped by DOMPurify, arbitrary data-* attributes aren’t…
Taking an unexpected reference to a memoryview object resulting in a use-after-free when the parent of said object is destroyed.Though this is a rather low impact bug because it requires control over the code being executed, so one could just write an os.system(...) call or something similar…
Heap overflow in the mbuf zone in the PPPoE driver, which the PS4/PS5 borrow from NetBSD.The issue is the fact that pppoe_send_padr() can calculate a packet length that exceeds MCLBYTES (2048 bytes)…
Couple of bugs originating in Solana’s JIT: one an optimization issue, the other a bad instruction choice, both found through fuzzing.
Interesting but fairly simple vuln in rubygems.It’s a design flaw or logic bug in the way versioning works when yanking a gem…
Authentication bug in Priceline through the use of Google OneTap.The problem is that they assume emails provided through Google OneTap are verified and authentic…
A chain of bugs starting with a “third party” information disclosure, and leading to an account takeover.The third-party aspect can be argued but as a vuln classification it feels like the best fit for the root of this issue…
Authentication bug for this sensitive /mgmt/tm/util/bash endpoint, which as the name suggests, will take commands and execute them.The endpoint was protected by authentication, but that authentication was vulnerable to a kind of desync…
A nice little logic error abusing an edge case between two different command flags.Curl may remove the wrong file when --no-clobber and --remove-on-error flags are used together…
Multiple memory corruption bugs in Accel-PPP, an open-source VPN server.These bugs all follow the same basic flawed logic, a length is read from an attacker controlled buffer and then that length of data is copied from the buffer into an awaiting structure…
Memory corruption but only a denial of service out of it, a user-defined size is read and used in a calculation as it calculates the amount of bytes left ot read. This can potentially lead to a buffer overflow, but only writting into unmapped memory rather than corrupting any useful targets.