Uninitialized use found in Apple’s ColorSync via fuzzing.When parsing an image, the library will calculate the start address for reading from a Color Lookup Table (CLUT) data point array for pixel data…
Two straight-forward command injection issues in Gerapy.
URL validation vulnerabilities leading to server side request forgery (SSRF) on an internal Google endpoint. The original whitelist bypass was to use a \@ in the domain:
Missing, or maybe insufficient authentication checks on the /users/create_admin endpoint allowed any user (even one not logged in) to create a new administrative account and gain full admin privileged within the Stocky app.
It was possible to forge JWT tokens due to an unchecked constraint when processing the JWT before verifying. In one function the token would be “processed” as in it would pull out the relative information, passing it into Util:verify_token(token, secret, acceptedIssuers)
Prototype pollution through a Mermaid diagram embedded in markdown leading to stored XSS.
Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.
Race UAF in the Linux kernel.The issue is the SO_PEERCRED and SO_PEERGROUPS socket options don’t maintain ownership / lock when copying sk->sk_peer_cred to userspace…
A use-after-free in AddIceCandidate() for adding Interactive Connection Establishment candidates when starting a WebRTC session.The problem is, it’s possible to setup a Promise that can call setLocalDescription(), which will mark part of the local description memory for collection by the garbage collector…
Three vulnerabilities in Qualcomm’s Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn’t on most other devices.
Weak randomness leading to a predictable filename enabling code execution…
Root issue is that WebKit violates the specification for Content-Security-Policy (CSP) violation reports, leaking the destination of a violating redirect rather than the origin in the documentURI field of the report.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
Leaving out many of the specifics about how Azure Sphere devices work.Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand…
Out of bounds access in the GPIO_SET_PIN_CONFIG_IOCTL leading to information disclosure.When parsing the lineoffsets field from the gpiopin_request object, there’s no bounds checking on it before it’s used as an index into an array of descriptions to get a desc pointer…