An integer overflow in the official SHA-3 implementation as used by PHP, Python, Ruby and I’m sure other places.When updating a block that already has some data in it, it will try to calculate if the new partial block bytes will go out of bounds, it makes the classic mistake of adding the current index and the length of new data, then just checking if it is lower than a bounding value…
A vuln where ultimately untrusted input can make its way into eval() in a perl script via the Controller servlet.Sophos Firewall exposes two dashboards, a user portal and a web admin console…
Cisco’s Jabber, an XMPP client would treat the ending </stream:stream> XML tag as a special case resetting the state of the XML parsing, which would allow any next tag to be treated as the root of the XML document and allow injecting of control stanzas.
So Java’s Swing UI Toolkit in some cases will try to parse any strings that start with a < as HTML, and dangerously so as its handling of <object> tags will attempt to initialize a class with the name from the classid attribute (must inherit from java.awt.Component), and it will attempt to set any <param> tags through their setter functions.
A couple integer overflows in the the Windows Kernel through the registry, the core problem being that a 16bit integer is used for the Count field storing the number of subkeys inside an index.Under normal circumstances, when adding new subkeys the registry will automatically divide itself so you won’t have more than ~1000 subkeys, but you can import arbitrarily formatted indexes, using this you can craft one with 65535 keys…
A format-string bug in Trackmania Forever server accessible from server clients, pretty straight forward bug, input in a client RPC gets printed on the server.
An argument injection leading to remote code execution on Packagist server. The vulnerability comes from how workers will try to update the package’s main documentation page by reading the package’s readme file use hg’s cat command.
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
Authentication to the Fortinet management panel for various applications could be bypassed by meeting two conditions, the resolved client-ip is 127.0.0.1 and the user-agent is Report Runner
Just another thing to be testing for, it was found that the Apache Commons Text library when doing a StringLookup will do variable expansion.Supporting several prefixes like url to fetch data from a remote url or script to execute a Javax string…