The first issue, is an incorrect computation in golang impacting go-ethereum.Its an interesting case, because a base computation might lead to some issues but it usually isn’t a security issue…
Mistrusting some extended attributes, using them to calculate an offset leading to out-of-bound read/write primitives; presumably exploitable since these were used at Pwn2Own.In the fruit_pread function will read the org.netatalk.Metadata extended attribute which can unauthenticated user can set…
A cool bug in H2O’s QUIC implementation leading to disclosing uninitialized memory.Stream data in HTTP/3 comes in an encoding similar to chunked encoding, including an offset in the chain, the data size and teh data itself…
We’ve got two XSS “puzzles” in unnamed bounty programs, each with somewhat interesting exploit strategies. The original post is worth a read for more insight into the thought process leading to the discovery of each step.
Maybe an issue, maybe not; the Ruby devs seem to think its a non-issue.This is a case of a library allowing some questionable input…
Once again deserialization and RCE through an unprotected viewstate, its kinda silly that this sort of issue continues to persist.The normal _VIEWSTATE field is used by some .NET applications to contain a ton of information about the current view state…
The interesting part of this post is the utilization of an external API to result in SSRF, specifically the Google Drive API.
Really straight forward bug, NimForums uses the rather feature-full Restructured Text (RST) format for its user-generated content, which has an include directive that can be used to include local files. What is atleast slightly interesting here is that the code authors seemed aware of the potential vulnerabilities and included a couple comments in relevant code:
Once again, the use of user-mode callbacks in the Windows kernel enabled an attacker to change out the type of an object unexpectedly leading to a type confusion.
This was an interesting data based attack all because it was assumed there would be arguments in argv.A for-loop starts with n=1 looping until n < argv…