[GitLab] Stored XSS via Mermaid Prototype Pollution vulnerability
Prototype pollution through a Mermaid diagram embedded in markdown leading to stored XSS.
Prototype pollution through a Mermaid diagram embedded in markdown leading to stored XSS.
Heap based overflow in the Windows Kernel (ntfs.sys). This was originally found in the wild by Kaspersky, though Alex Plaskett here digs much more into the vulnerability and exploitation, and takes it in bit of a new direction removing the need for a separate info-leak.
Race UAF in the Linux kernel.The issue is the SO_PEERCRED
and SO_PEERGROUPS
socket options don’t maintain ownership / lock when copying sk->sk_peer_cred
to userspace…
A use-after-free in AddIceCandidate()
for adding Interactive Connection Establishment candidates when starting a WebRTC session.The problem is, it’s possible to setup a Promise
that can call setLocalDescription()
, which will mark part of the local description memory for collection by the garbage collector…
Three vulnerabilities in Qualcomm’s Neural Processing Unit (NPU) driver. Specifically the article focuses on Samsung devices, as, for whatever reason, the NPU device is accessible to untrusted users where it isn’t on most other devices.
Weak randomness leading to a predictable filename enabling code execution…
Root issue is that WebKit violates the specification for Content-Security-Policy (CSP) violation reports, leaking the destination of a violating redirect rather than the origin in the documentURI
field of the report.
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
Leaving out many of the specifics about how Azure Sphere devices work.Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand…
Out of bounds access in the GPIO_SET_PIN_CONFIG_IOCTL
leading to information disclosure.When parsing the lineoffsets
field from the gpiopin_request
object, there’s no bounds checking on it before it’s used as an index into an array of descriptions to get a desc
pointer…