An interesting vulnerability in Huawei’s security hypervisor which Huawei devices use to protect the kernel integrity.The hypervisor provides logging capability, and allows the kernel to access the log buffers via shared memory that the kernel can map into it’s address space…
A pretty straight forward stack-based overflow in ping on FreeBSD. It is a little interesting though in that there is one caveat this is teh vulnerable code:
A long chain of issues that leads to XSS in the league of legends (LoL) account subdomain via easyXDM, which is a developer focused JS library that provides an interface for doing cross-origin communication using various protocols.easyXDM consists of a producer-consumer setup, where a producer page exports functions for the consumer page to invoke…
A race condition in snap-confine, which is a suid root binary that’s installed by default on Ubuntu.The must_mkdir_and_open_with_perms() function is used for making a directory and opening it for temporary directories for snap-confine…
An email normalization issue allowing for remote control of a vehicle.
The core vulnerability here is a case where a DOM clobbering attack could be used to hijack a service worker.
The username, from_name and password fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file.Using this it is possible to include configuration parameters that are not normally exposed…
Another vulnerability in Apple Neural Engine (ANE).Interestingly, this one’s a double fetch yielding out-of-bounds write in ZinComputeProgramUpdateMutables()…
An out-of-bounds write in the ZinComputeProgramGetNamesFromMultiPlaneLinear() and ZinComputeProgramGetNamesFromMultiPlaneTitledCompressed() functions of the Apple Neural Engine (ANE).These functions are responsible for parsing procedure I/O, and will take some arguments including an output planes array of kernel pointers to user-controlled data, as well as a planeCount for how many planes to copy into that array…
This blogpost is essentially using a previous sandbox escape they discovered against Backstage, which is Spotify’s incubated solution for managing infrastructure and microservices and such.Backstage includes software templates, which can contain ` message` parameter that gets rendered in Nunjucks (a JS templating engine)…