Memory Exposure

Overview Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write Versions 1.3.0 are not affected due to not using unguarded Buffer constructor. Recommendation Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update...

Memory Exposure

Overview Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.appendnumber in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later. References - GitHub PR 22 - GitHub...

Chrome V8 JIT - NodeProperties::InferReceiverMaps Type Confusion

Chrome V8 JIT - NodeProperties::InferReceiverMaps Type Confusion / https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416 Here's a snippet of NodeProperties::InferReceiverMaps. case IrOpcode::kJSCreate: if IsSamereceiver, effect...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Safari

CVE-2018-4121 - Safari Wasm Sections POC RCE Exploit by MWR L...

PT-2018-1370 · Pdfinfojs · Pdfinfojs

Name of the Vulnerable Software and Affected Versions: pdfinfojs versions = 0.3.6 pdfinfojs versions prior to 0.4.1 Description: The issue is related to a lack of neutralization of special elements in input commands for the pdfinfojs module. This can be exploited by a remote attacker to execute...

slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

An XML deserialization vulnerability was discovered in slf4j's EventData, which accepts an XML serialized string and can lead to arbitrary code execution...

Chrome V8 Genesis::InitializeGlobal Bugs

Chrome: V8: Bugs in Genesis::InitializeGlobal Bug: The Genesis::InitializeGlobal method initializes the constructor of RegExp as follows: // Builtin functions for RegExp.prototype. Handle regexpfun = InstallFunction global, "RegExp", JSREGEXPTYPE, JSRegExp::kSize + JSRegExp::kInObjectFieldCount...

Google Chrome V8 - 'Genesis::InitializeGlobal' Out-of-Bounds Read/Write

/ Bug: The Genesis::InitializeGlobal method initializes the constructor of RegExp as follows: // Builtin functions for RegExp.prototype. Handle regexpfun = InstallFunction global, "RegExp", JSREGEXPTYPE, JSRegExp::kSize + JSRegExp::kInObjectFieldCount kPointerSize, JSRegExp::kInObjectFieldCount,...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (2)

/ Here's a snippet of JavascriptArray::BoxStackInstance. template T JavascriptArray::BoxStackInstanceT instance, bool deepCopy AssertThreadContext::IsOnStackinstance; // On the stack, the we reserved a pointer before the object as to store the boxed value T boxedInstanceRef = T instance - 1; T...

PYSEC-2018-148

In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the...

CVE-2018-9145

In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the...

CVE-2018-9145

In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the...

CVE-2018-9145

In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the...

CVE-2018-9145

In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issue exists in the constructor with an initial buffer size. A large size value may lead to a SIGABRT during an attempt at memory allocation. NOTE: some third parties have been unable to reproduce the SIGABRT when using the...

CentOS Update for slf4j CESA-2018:0592 centos7

Check the version of slf4j SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882865";...

Oracle Linux 7 : slf4j (ELSA-2018-0592)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2018-0592 advisory. 0:1.7.4-4 - Disallow EventData deserialization by default CVE-2018-8088 Tenable has extracted the preceding description block directly from the Oracle Linux...

chrome:Cross-origin object leak via fetch

VULNERABILITY DETAILS The promise returned by fetch.callcrossOriginWindow is created in the cross-origin context. Direct cross-origin scripting is not possible because cross-origin function constructors don't work anymore issue 541703 . But the attacker can e.g. call other functions of the...

Arbitrary Code Execution

Overview math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. Recommendation Upgrade to version 3.17.0 or later. References - Commit a60f3c8 -...

Updated php-phpmailer packages fix security vulnerability

Debugoutput wasn't set in constructor according to SAPI in use, resulting in potential XSS in default debug output...

Unauthorized Constructor Replacement

mathjs is vulnerable to unauthorized constructor replacement. The vulnerability is possible because restricted properties like constructor functions can be replaced by unicode characters when creating an object. This can lead to arbitrary code execution attack through the constructor...