Simple off-by-one issue, the application parses the Host header getting its length.Checks that length against the maximum size for the buffer its going to be copied into, copied the value over, and adds a null-byte to the end…
The bug here is pretty simple, the XML parser reads tags into a struct XMLTAG in that struct there is an array for storing attributes, which allocates space for at-most 10 attributes.The parser itself doesn’t check these bounds, allowing for a tag with more than 10 attribute to overflow on the stack…
Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing /from it, however they did this using .delete("/") which removes all / characters from the string instead of just a trailing /. This meant that someone could use an account like someone@mastodon.so/cial to spoof the account someone@mastodon.social.
Just a somewhat common and vulnerable use a cryptography.The signature of a firmware was not truly a signature but a hash of the content + a secret key, as the binary code that verifies the firmware is present on the device the “secret” key used is not kept secret and one could create their own firmware that would pass the signature check but contain arbitrary content…
A request smuggling to global cache poisoning chain impacting Akami Edge nodes in front of an F5 BigIP server.
iTLB Multihit exploits a low-level issue where instruction fetches from the instruction Translation Lookaside Buffer (TLB) can hit multiple entries for different page sizes.It’s suspected this bug is caused by electrical corruption due to data pins from different TLBs on the die being driven on the same line…
What happens when you don’t properly validate OAuth access tokens? Account takeovers.
The authors here focus on crafting the exploit for an already discovered vulnerability in Orthanc’s DICOM server. The vulnerability is a natural consequence of two features:
We rarely talk about memory corruption on our bounty episodes, but this one its a good one to keep in mind.Its a problem with snprintf the “secure” sprintf function…
An integer underflow vuln in Safari/WebKit, which as is typical with JSC bugs, is rooted in the ability for callbacks to change the state of objects. The root of the bug is that you can cause a copy on a zero-sized array to a destination index of something like 0x20, and when the JS engine tries to clamp the copy, results in a copy size of 0 - 0x20 = 0xffffffffffffffe0.