Vulnerabilities (Page 58)

Potentially a new named vulnerability class/set of vulns.Its integer overflows in the size calculations, specifically within the allocator code…

Heap overflow in Windows Defender (mpengine.dll).Overflow happens while unpacking an ASProtect packed executable…

Porting of a V8 nday to Tesla Model 3.The vuln is older (from 2020) and is a turbofan optimizer based bug…

Two vulns related to properties on a DirectComposition buffer.Adding a new property it adds it, then checks some values and potentially returns an error before finalizing, but the property gets added…

tl;dr Cleverly crafting a packet with a large header+options length could cause a null dereference. The net buffer would be created with DataSize=uint16_t(length), but it would attempt to read with size=length (no truncation), which would result in an error case and a null return.

Four pre-auth NoSQL injections (blind) as well as an authenticated PHP injection.

tl;dr WhatsApp stored TLS session resumption files on the sdcard where a malicious application or some social engineering attacker could read.

Tl;dr /api/log endpoint writes to a log file with attacker controlled data. Also attacker can write to any *.log file.

Tl;dr Grammarly will add users to the wrong organization if an attacker creates an org with an entityId that matches the victim’s but with extra whitespace at the end.

Two 2FA bypassing, one based on auth state not being tied to the user’s session, the other involved swapping a transaction id to trick the server into thinking the attacker’s 2FA acceptance was the victim’s.