122 matches found
CVE-2018-21238
An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows memory consumption via an ArrayBuffer0xfffffffe call...
Design/Logic Flaw
An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows memory consumption via an ArrayBuffer0xfffffffe call...
CVE-2018-21238
CVE-2018-21238 affects Foxit PhantomPDF up to version 8.3.7, where a call involving ArrayBuffer(0xfffffffe) enables memory consumption. The connected documents confirm the vulnerability but do not provide concrete details on root cause, affected components beyond the product/version line, exploit...
CVE-2018-21238
An issue was discovered in Foxit PhantomPDF before 8.3.7. It allows memory consumption via an ArrayBuffer0xfffffffe call...
CVE-2018-21240
CVE-2018-21240 affects Foxit Reader and PhantomPDF prior to version 9.2. The issue is a memory consumption flaw triggered by an ArrayBuffer(0xfffffffe) call in these products. Root cause is a memory handling vulnerability leading to resource exhaustion. Impact is partial availability degradation ...
CVE-2018-21240
An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It allows memory consumption via an ArrayBuffer0xfffffffe call...
CVE-2018-21240
An issue was discovered in Foxit Reader and PhantomPDF before 9.2. It allows memory consumption via an ArrayBuffer0xfffffffe call...
Sagemcom [email protected] 3890 (50_10_19-T1) Cable Modem - Cable Haunt Remote Code Execution Exploit
// EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip function buf2hexbuffer // buffer is an ArrayBuffer return Array.prototype.map.callnew Uint8Arraybuffer, x = '00' + x.toString16.slice-2.join''; function insertAtarr, index, toInsert...
Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free
memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; if memorytracker-IsWasmSharedMemorybackingstore // This memory is shared...
Google Chrome WasmMemoryObject::Grow Use-After-Free
Chrome: Use-after-free in WasmMemoryObject::Grow VULNERABILITY DETAILS https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253 int32t WasmMemoryObject::GrowIsolate isolate, Handle memoryobject, uint32t pages ... Handle newbuffer; if...
Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds ReadWrite
Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds ReadWrite !-- Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is...
Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write
!-- Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly: 1. Check the set of possible Maps of the array type with...
Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write
!-- Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly: 1. Check the set of possible Maps of the array type with...
Chrome 72.0.3626.119 FileReader Use-After-Free Exploit
This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling...
Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86
This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling...
WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free
/ The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF. PoC: ...
WebKit JSC - 'AbstractValue::set' Use-After-Free
indexingType; mtype = speculationFromStructurestructure.get; mvalue = JSValue; checkConsistency; assertIsRegisteredgraph; It works out marrayModes using structure-indexingType instead of structure-indexingMode. As structure-indexingType masks out the CopyOnWrite flag, which indicates that the...
WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion
/ When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every getbyid expression taking the loop variable as the index is...
Foxit Reader and PhantomPDF Information Disclosure Vulnerability (CNVD-2018-20679)
Foxit Reader is a PDF document reader from China's Foxit Software Corporation.Foxit PhantomPDF is a commercial version. Foxit Reader and PhantomPDF 9.3 before the version of the information leakage vulnerability, the vulnerability stems from the program fails to properly create the ArrayBuffer an...
CVE-2018-17781
Foxit PhantomPDF and Reader before 9.3 allow remote attackers to trigger Uninitialized Object Information Disclosure because creation of ArrayBuffer and DataView objects is mishandled...