A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the /mfa/unenrollment
endpoint and remove MFA from the account.
Starts off by detailing a self XSS through JupyterLabs Notebook’s /lab
endpoint, where an attacker can control the page contents.In and of itself this isn’t an issue, an attacker can only control the page contents of a notebook instance they own…
Out-of-bounds (OOB) access in the VMGExit
handler, which is triggered for string I/O instructions.The sev_es_string_io()
function is responsible for doing the string copy between the unencrypted guest memory regions and the virtualized target…
Focuses on exploiting an Out-of-Bounds (OOB) read in the IOSurface
subsystem.The vulnerability was an unchecked scalar0
index into the scalar input array in IOMobileFramebufferUserClient::get_displayed_surface()
called by IOMobileFramebuffers::s_displayed_fb_service()
…
In the recv_server-device_response_msg_process()
handler, a nums
field gets pulled out of the packet’s JSON payload, and is used to represent the total number of UDP server domains.The application then iterates based on this field, looking for its respective domain%d
key in the JSON…
Uninitialized use found in Apple’s ColorSync via fuzzing.When parsing an image, the library will calculate the start address for reading from a Color Lookup Table (CLUT) data point array for pixel data…
Two straight-forward command injection issues in Gerapy.
URL validation vulnerabilities leading to server side request forgery (SSRF) on an internal Google endpoint. The original whitelist bypass was to use a \@
in the domain:
Missing, or maybe insufficient authentication checks on the /users/create_admin
endpoint allowed any user (even one not logged in) to create a new administrative account and gain full admin privileged within the Stocky app.
It was possible to forge JWT tokens due to an unchecked constraint when processing the JWT before verifying. In one function the token would be “processed” as in it would pull out the relative information, passing it into Util:verify_token(token, secret, acceptedIssuers)