This is a interesting primitive, an unsigned 32bit integer can mistakenly be kept unsigned after it is supposedly converted to a signed 64bit integer and passed in somewhere expecting a signed value.
There is an argument injection within the ms-officemd URI scheme (available by default on WIndows 10 and 11) used by MS Office applications to launch other Office apps. By targeting the MS Teams Electron application one could leverage the --gpu-launcher argument for arbitrary command injection without any hassle.
Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a “no-code” application generator.One feature is that a web-hook can be executed in respond to supported events…
If you log untrusted data using log4j…you might have an RCE.I wasn’t able to find a good root cause of this bug but the issue itself is pretty readily understood…
Three vulnerabilities found in MediaTek’s audio Digital Signal Processor (DSP) firmware.They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the /dev/audio_ipi driver)…
A surprisingly simple bug in a well-fuzzed cryptographic library from Mozilla leading to an easy stack overflow in RSA-PSS code (vulnerability exists elsewhere also).
Exploitation of the TIPC heap overflow bug based on a keylength being used in a memcpy() call before it was validated.Two objects are used in combination with the overflow to achieve code execution…
There are two things at play with this vulnerability, first is the Symfony has support for trusted_headers to indicate which headers the framework is okay to trust, and recently support for the X-Forwarded-Prefix header was added and could be used regardless of whether or not it was in trusted_headers list.This could create a situation where cache poisoning would be possible as a request could be treated differently on the application trusting an untrusted header…
Fairly weak vulnerability to have, the URL of a remote stylesheet has minimal domain validation on it that was easily bypassed allowing an attacker to load their own stylesheets. It is a bit of a fun issue to have however as this can allow exfiltrating page content and potentially sensitive information like CSRF tokens and use it for a more complicated attack.
Kubernetes has a feature called “volume subpaths”, which is intended to enable sharing of a volume between multiple containers in a particular pod.Critically, these subpaths are controlled by the user…
A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the /mfa/unenrollment endpoint and remove MFA from the account.
Starts off by detailing a self XSS through JupyterLabs Notebook’s /lab endpoint, where an attacker can control the page contents.In and of itself this isn’t an issue, an attacker can only control the page contents of a notebook instance they own…
Out-of-bounds (OOB) access in the VMGExit handler, which is triggered for string I/O instructions.The sev_es_string_io() function is responsible for doing the string copy between the unencrypted guest memory regions and the virtualized target…
Focuses on exploiting an Out-of-Bounds (OOB) read in the IOSurface subsystem.The vulnerability was an unchecked scalar0 index into the scalar input array in IOMobileFramebufferUserClient::get_displayed_surface() called by IOMobileFramebuffers::s_displayed_fb_service()…
In the recv_server-device_response_msg_process() handler, a nums field gets pulled out of the packet’s JSON payload, and is used to represent the total number of UDP server domains.The application then iterates based on this field, looking for its respective domain%d key in the JSON…