The problem starts in remove_liquidity where a contract can remove funds that they added. It will updated the total_supply and burn tokens, then in a loop for each coin it will decrement the balances and transfer them to the attacker’s contract…
Fairly straightforward refcount leak bug in the coredump function of the kernel.It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path…
An integer overflow in SQLite’s sqlite3_str_vappendf, large inputs when dealing with q Q or w format specifiers (unique to SQLite’s implementation of printf used to escape quotes).In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer…
Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account’s image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.
Improper handling of multi-line header values, specifically in handling the Transfer-Encoding header Node would parse the value up to the first new-line and not include the remaining content.
Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.
There seems to be a lot of gaps in this writeup, but to the best of my understanding the bug a straight forward XSS but only in the MCS Webview giving access to the window.GalaxyStore object to download or open any application from the store.
Facebook’s SMS Captcha page would as you might expect, display a captcha, the user fills it out, and then it makes a POST request to the next page including the anti-CSRF token. The problem being that the next location was determined by the next url parameter which was entirely attacker controlled, and could be pointed to sensitive GraphQL endpoints.
Multiple memory corruptions in Microsoft Edge browser, there are several issues here but they all generally can be summed up as “self-corruptions”.Its things like a use-after-free by opening a dialog, closing the backing page that spawned the dialog, and then closing the dialog triggering a callback that no longer exists…
At its core, a simple, yet odd Linux kernel issue, __io_req_init_async assumes that the new request (req) being submitted was submitted by its own worker, so it sets the req->work.identity to current->io_uring.