Lucene search
K

33 matches found

exploitpack
exploitpack
added 2017/04/20 12:0 a.m.13 views

Apple WebKit Safari 10.0.2(12602.3.12.0.1) - operationSpreadGeneric Universal Cross-Site Scripting

Apple WebKit Safari 10.0.212602.3.12.0.1 - operationSpreadGeneric Universal Cross-Site Scripting 'use strict'; function spreada return ...a; let arr = Object.create1, 2, 3, 4; for let i = 0; i f.onload = null; try spreadf.contentWindow; catch e e.constructor.constructor'alertlocation'; ; f.src =...

0.2AI score
Exploits0
Exploit DB
Exploit DB
added 2017/04/20 12:0 a.m.16 views

Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting

jsCallee // newTarget may be an InternalFunction if we were called from Reflect.construct. JSFunction targetFunction = jsDynamicCastnewTarget; if LIKELYtargetFunction ... return targetFunction-rareDatavm-createInternalFunctionAllocationStructureFromBasevm, prototype, baseClass; ... else ... retur...

7.4AI score
Exploits0
seebug.org
seebug.org
added 2017/04/19 12:0 a.m.9 views

WebKit: UXSS via operationSpreadGeneric

Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation. It seems that that optimization is not implemented to the release version of Safari yet...

6.9AI score
Exploits0
Packet Storm
Packet Storm
added 2017/04/09 12:0 a.m.62 views

WebKit ComposedTreeIterator::traverseNextInShadowTree Use-After-Free

WebKit: ComposedTreeIterator::traverseNextInShadowTree use-after-free CVE-2017-2466 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. PoC:...

6.8CVSS0.0687EPSS
Exploits3
Packet Storm
Packet Storm
added 2017/04/09 12:0 a.m.77 views

Apple Webkit Named Property UXSS

Apple Webkit: UXSS by accessing a named property from an unloaded window CVE-2017-2367 The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool...

4.3CVSS7.5AI score0.06166EPSS
Exploits3
Packet Storm
Packet Storm
added 2017/04/09 12:0 a.m.58 views

WebKit FormSubmission::create Use-After-Free

WebKit: use-after-free in FormSubmission::create CVE-2017-2460 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. Please note: This bug is subject to a 90 day...

6.8CVSS7.5AI score0.06736EPSS
Exploits3
Packet Storm
Packet Storm
added 2017/04/09 12:0 a.m.54 views

Apple WebKit disconnectSubframes UXSS

Apple WebKit: UXSS via disconnectSubframes CVE-2017-2445 When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframesiframe tag, object tag, etc.. Here is a snippet of |disconnectSubframes|. void disconnectSubframesContainerNode& root,...

4.3CVSS0.04237EPSS
Exploits3
0day.today
0day.today
added 2017/04/05 12:0 a.m.59 views

Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free Exploit

Exploit for multiple platform in category dos / poc function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac:...

6.8CVSS8.3AI score0.06766EPSS
Exploits3
0day.today
0day.today
added 2017/04/05 12:0 a.m.59 views

Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free Exploit

Exploit for multiple platform in category dos / poc function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer:...

6.8CVSS8.3AI score0.0687EPSS
Exploits3
seebug.org
seebug.org
added 2017/04/05 12:0 a.m.38 views

WebKit: HTMLInputElement use-after-free (CVE-2017-2454)

There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC: function eventhandler1 input.type = "foo"; function eventhandler2...

6.8CVSS8.1AI score0.06766EPSS
Exploits3
seebug.org
seebug.org
added 2017/04/05 12:0 a.m.26 views

WebKit: use-after-free in RenderLayer(CVE-2017-2455)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC and ASan log follow PoC: function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize",...

6.8CVSS8.1AI score0.06766EPSS
Exploits3
0day.today
0day.today
added 2017/04/05 12:0 a.m.46 views

Apple WebKit 10.0.2(12602.3.12.0.1) - Frame::setDocument (1) Universal Cross-Site Scripting Exploit

Exploit for multiple platform in category dos / poc && newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache...

4.3CVSS7.7AI score0.06653EPSS
Exploits3
seebug.org
seebug.org
added 2017/04/04 12:0 a.m.25 views

Apple WebKit: UXSS via Frame::setDocument (1)(CVE-2017-2364)

void Frame::setDocumentRefPtr&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not...

4.3CVSS7.6AI score0.06653EPSS
Exploits3
seebug.org
seebug.org
added 2017/04/04 12:0 a.m.31 views

Apple Webkit: UXSS by accessing a named property from an unloaded window (CVE-2017-2367)

The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetterJSDOMWindowProperties thisObject, Frame& frame, ExecState exec, PropertyName propertyName,...

4.3CVSS7.6AI score0.06166EPSS
Exploits3
exploitpack
exploitpack
added 2017/04/04 12:0 a.m.13 views

Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window

Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window document auto& htmlDocument = downcastdocument; auto atomicPropertyName = propertyName.publicName; if atomicPropertyName && htmlDocument.hasWindowNamedItematomicPropertyName JSValue namedItem; if...

6.7AI score
Exploits0
exploitpack
exploitpack
added 2017/04/04 12:0 a.m.33 views

Apple WebKit - RenderLayer Use-After-Free

Apple WebKit - RenderLayer Use-After-Free function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize", false, 6; window.requestAnimationFramecb; h1.attachShadowmode: "open"; h1.replaceWith"foo"; function cb var a; //trigger garbage collector forvar i=0;i !--...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2017/04/04 12:0 a.m.31 views

Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free

function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000065058 at pc...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2017/04/04 12:0 a.m.25 views

Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting

&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame wi...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2017/04/04 12:0 a.m.45 views

Apple WebKit - 'FormSubmission::create' Use-After-Free

function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in FormSubmission::create. This function traverses the vector ...

7AI score
Exploits0
Exploit DB
Exploit DB
added 2017/04/04 12:0 a.m.53 views

Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting

frameOwners; if policy == RootAndDescendants if isroot frameOwners.appenddowncastroot; collectFrameOwnersframeOwners, root; // Must disable frame loading in the subtree so an unload handler cannot // insert more frames and create loaded frames in detached subtrees. SubframeLoadingDisabler...

7.4AI score
Exploits0
Rows per page
Query Builder