Результаты поиска

Apple WebKit - 'FormSubmission::create' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1090 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to...

Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1097 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has...

Apple WebKit - 'table' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1105 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.3...

Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and...

Apple WebKit - 'RenderLayer' Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1082 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac...

Apple WebKit - Negative-Size memmove in HTMLFormElement <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1087 There is a negative-size memmove security vulnerability in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC has also been observed...

SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include...

Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1080 There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of...

Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank =...

Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY...

Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection # Exploit Title: XXE in Oracle Business Intelligence and XML Publisher # Date: 16.04.19 # Exploit Author: @vah_13 # Vendor Homepage: http://oracle.com # Software Link...

Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are...

Apple WebKit 10.0.2 (12602.3.12.0.1, r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1085 EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec) { VM& vm = exec.vm()...

Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal # Exploit Title: Directory traversal in Oracle Business Intelligence # Date: 16.04.19 # Exploit Author: @vah_13 # Vendor Homepage: http://oracle.com # Software Link...

Apple macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents Heres the code for the...

Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1074 When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframes(iframe tag...

LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit) ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include...

Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1056 void Frame::setDocument(RefPtr<Document>&& newDocument) { ASSERT(!newDocument || newDocument->frame() == this); if...

Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1068 Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object. class JSCallbackDataStrong : public...

Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1063 The frame is not detached from an unloaded window. We can access to the new document's named properties via the...

Apple macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in audit_pipe_open audit_pipe_open is the special file open handler for the auditpipe...

Apple macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability /* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 MacOS kernel memory disclosure due to lack of bounds checking in...

Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4 A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k...

Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests...

Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation Windows: LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition EoP Platform: Windows 10 1809 (not tested earlier) Class: Elevation of Privilege Security Boundary...