Vulnerabilities (Page 3)

SSRF and RCE in Apache Batlik due to Improper Parsing of `jar:` URI

A somewhat simple security control bypass in Apache Batik’s DefaultScriptSecurity and DefaultExternalResourceSecurity controls.Where Batik has to be able to load SVG files (and associated resources) from either a local or remote source, it makes for an interesting attack for SSRF and/or RCE…


NetBSD Coredump Kernel Refcount LPE

Fairly straightforward refcount leak bug in the coredump function of the kernel.It would take a reference on the process credentials to ensure they don’t get destroyed while in-use, but they don’t release the reference on the error exit path…


Integer Overflow in SQLite Leading to Stack-based Buffer Overflow

An integer overflow in SQLite’s sqlite3_str_vappendf, large inputs when dealing with q Q or w format specifiers (unique to SQLite’s implementation of printf used to escape quotes).In calculating the maximum buffer once escapes have been added the size may overflow to a negative value leading to SQLite using a 70byte (by default) stack allocated buffer…


[Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched

Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account’s image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.


Google Data Studio Insecure Direct Object Reference

Straight forward IDOR, but the vulnerable feature is somewhat hidden. Within Google Data Studio you have an option to create a template and then perhaps add that template to the report, it is the process of persisting that template in a report that is vulnerable to IDOR.