Vulnerabilities (Page 9)

A fairly simple processing bug in WinRAR resulting in code execution with benign seeming interaction with an archive; unfortunately this one was seen being exploited in the wild to spread malware.

Awesome abuse of an Regex DoS to bypass a security check in MyBB resulting in an RCE.

A bit of an unexpected fault in GCC’s -fstack-protector implementation that meant that the saved return address wasn’t actually protected by the stack-protector on AArch64 in some cases.

Not making encrypted blobs tamper-proof is a pretty classic crypto issue that lead to an arbitrary file-upload and code execution vulnerability in ShareFile. The file upload functionality of ShareFile took a few natural arguments: a filename, an uploadid and a parentid…

The title gives this one away, the header(...) function in PHP will issue a warning (and keep executing) without adding the header to the response if the header contains a Carriage Return (\r), New-Line (\n) or Null-byte (\x00).That functionality may not be new to you as its purpose is to kill response splitting attacks, but @OctagonNetworks presents a fresh twist on this, probably not the first to have the thought but it was a neat idea to me…

A request that isn’t vulnerable until you make it twice.Definitely an interesting edge case that a lot of testing might overlook…

Two vulnerabilities in Jellyfin, which is a media server fork of Emby. They focused on the REST API in the server, and they noticed that the Authorization header seemed to be implicitly trusted in many endpoints despite the fact it could be attacker-controlled.

Two vulns in VirtualBox, an Out-of-Bounds (OOB) write in the TPM module and an OOB read in VGA. Both ultimately come from the Memory Mapped I/O (MMIO) read handlers.

A linux kernel bug in the overlayfs filesystem that can lead to root privilege escalation.For a bit of background, overlayfs allows you to have a filesystem that’s comprised of two layers; an upper layer and a lower layer…

A post by Ophion Security that looks at customer support portals built off Zendesk that have poor configuration such as GitHub.Zendesk supports “placeholders” for tickets, mainly for support agents and automated responses to use for autofilling information, such as the ticket ID, someone’s name, etc…