Two integer overflows discovered in the NetUSB.ko kernel module for doing USB over IP. Both were in the SoftwareBus_dispatchNormalEPMsgOut function, which seems to be a dispatch routine of sorts for user-received data.
Two fundamental issues allowing for XSS in Ruby on Rails (RoR) applications. As RoR is just a framework, these all depend on an application using the framework in a way that exposes these vulnerabilities.
Seems like a case of a generic endpoint being implemented up update any field provided without consideration of other restrictions on said field.In this case we have a PATCH /api/v2.0/accounts/<account_id> endpoint which ultimately takes in a dictionary containing field/value pairs to be updated for the account id…
This starts off in a pretty straight-forward way with an arbitrary file upload vulnerability, but also includes a bit of discussion about exploiting it in a more hardened environment which had some interesting insight.
Five vulnerabilities in Cloudflare Pages across 3 blog posts. Three vulns are command injection, one is a container escape, and one is a lack of access control.
An access control issue in a fallback price oracle contract.Under normal circumstances, Aave V3 will try to use chainlink oracle for getting price information…
Memory corruption issue in CLFS. The issue comes down to the parsing of log blocks when loading log files from disk.
Blogpost by Microsoft that details a few vulnerabilities in the networkd-dispatcher component in systemd which can be chained for LPE.When looking at the code flow, they noticed it would register a signal receiver on the system bus, and the handler would receive a state path followed by some data…
An uninitialized pointer is freed by proving a malformed IOCA file with a size_Y of zero.What happens normally is that there is an initialization routine that iterates from size_Y to 0…
By hiding a cross-site-scripting attack in the profile update functionality, specifically the profile image.Judging from the payload it looks like a straight-forward unescaped input that gets reflected on profile pages, though they did need to contend with Cloudflare’s WAF…
Simple bypass of the (optional) password lock screen by force-killing the application a few times.The exact cause of this is unclear, I have seen something previously where it was a “feature” because the developers thought it was crashing on that point so disabled it to let the user continue to use the application…
Hard-coded crednetials strike again, enabled a couple Server Side Request Forgeries as the URL to be requested was inside an encrypted, but user-provided URL parameter.Within the application there were a couple endpoints that would take a Url parameter…
Container escape within GitLab CI Runners abusing cgroup’s release_agent functionality as CI jobs are allowed to mount file-systems.The release_agent is a script that will be executed when a cgroup heirachy becomes empty…
Probably as easy of a 2FA bypass as I’ve seen, effectively if the account had 2FA the second stage of the password reset form would submit to /reset2fa and if there was no 2FA registered for the account, it would submit to /reset so the attack was just to modify the submission to point to /reset instead of /reset2fa and it wouldn’t prompt for the 2FA token.
With a FUSE (Filesystem in USErspace) there are two modes of IO, either the normal kernel page cache can be used for handling read/write attempts or using FOPEN_DIRECT_IO in the open call the read/write requests can be sent directly to the userspace filesystem.In this mode the kernel will grab a reference to the userspace pages rather than copying them into kernel mode and map those pages over to the FUSE process…