38 matches found
libxslt xsltParseStylesheetProcess Use-After-Free
libxslt suffers from a use-after-free vulnerability in xsltParseStylesheetProcess. There is a use-after-free issue in libxslt read on a namespace URL stored in exclPrefixTab. The issue was reproduced on the latest Git version. The proof of concept and ASAN log are provided at the end of the repor...
WebKit - WebCore::RenderLayer::updateDescendantDependentFlags Use-After-Free Exploit
Exploit for multiple platform in category dos / poc htmlvar00005, noframes, diplay: inline; padding-top: 0vw; -webkit-column-count: 41; transition-delay: body::first-letter box-flex-group: -webkit-background-size: contain; -webkit-opacity: 0.716727864979; htmlvar00001, .class1 1vmax; display:...
WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free
::selection, input:focus, .class0, ul::first-letter -webkit-column-count: 85; float: left; function jsfuzzer var fuzzervars = ; try / / var00034 = document.getSelection; catche try var00034.setPositionhtmlvar00003; var var00043 catche try / newvarvar00104:Element / var var00104 = htmlvar00013;...
WebKit - WebCore::FrameView::clientToLayoutViewportPoint Use-After-Free Exploit
Exploit for multiple platform in category dos / poc function jsfuzzer var b = document.createElement"body"; a.appendb; ta.autofocus = true; var iframe = document.createElement"iframe"; b.appendChildiframe; li.appendChilddd; iframe.contentDocument.caretRangeFromPoint; function eventhandler...
WebKit - detachWrapper Use-After-Free Exploit
Exploit for multiple platform in category dos / poc ::detachWrapper /Users/projectzero/webkit/WebKit/WebKitBuild/Release...
WebKit: use-after-free in WebCore::DocumentLoader::frameLoader(CVE-2017-13794)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==689==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000889c8 at pc 0x000114c94a...
WebKit - WebCore::InputType::element Use-After-Free (2)
WebKit - WebCore::InputType::element Use-After-Free 2 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...
WebKit - WebCore::AXObjectCache::performDeferredCacheUpdate Use-After-Free Exploit
Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1347 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be...
WebKit WebCore::TreeScope::documentScope Use-After-Free
WebKit: use-after-free in WebCore::TreeScope::documentScope CVE-2017-13796 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function freememory var a;...
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function go...
WebKit - WebCore::SimpleLineLayout::RunResolver::runForPoint Out-of-Bounds Read
WebKit - WebCore::SimpleLineLayout::RunResolver::runForPoint Out-of-Bounds Read / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1349 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...
WebKit: use-after-free in WebCore::getCachedWrapper(CVE-2017-7040)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function freememory var a; forvar i=0;i...
WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement(CVE-2017-7048)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector simply opening the...
WebKit WebCore::AccessibilityNodeObject::textUnderElement Use-After-Free
WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement CVE-2017-7048 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug...
WebKit - WebCore::InputType::element Use-After-Free Exploit
Exploit for multiple platform in category dos / poc var runcount = 0; function go runcount++; ifruncount 2 return; i.type = "foo"; i.select; i.type = "search"; document.onsearch = document.body.onload; document.execCommand"insertHTML", false, ""; !--...
WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free
link text-transform: lowercase; link::first-letter border-spacing: 1em; function go dt.appendChildlink; var s = link.style; s.setProperty"display", "table-column-group"; s.setProperty"-webkit-appearance", "menulist-button"; function eventhandler dir.setAttribute"aria-labeledby", "meta";...
Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine Exploit
Exploit for multiple platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155 Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294 There is a heap overflow in SkARGB32ShaderBlitter::blitH caused by a rounding error in SkEdge::setLine. To...
Apple WebKit Safari 10.0.3(12602.4.8) - Editor::Command::execute Universal Cross-Site Scripting
Apple WebKit Safari 10.0.312602.4.8 - Editor::Command::execute Universal Cross-Site Scripting document-updateLayoutIgnorePendingStylesheets; return mcommand-executemframe, triggeringEvent, msource, parameter; This method is invoked under an |EventQueueScope|. But...
WebKit WebCore::FrameView::scheduleRelayout Use-After-Free
WebKit: UAF in WebCore::FrameView::scheduleRelayout CVE-2017-2514 PoC: let f = document.body.appendChilddocument.createElement'iframe'; let g = f.contentDocument.body.appendChilddocument.createElement'iframe'; g.contentWindow.onunload = = g.contentWindow.onunload = null; let h =...
Mozilla Firefox 53 - ConvolvePixel Memory Disclosure
Mozilla Firefox 53 - ConvolvePixel Memory Disclosure /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358 2 0x7f8d3fcd397d in alreadyAddRefedmozilla::gfx::Data...