CVE-2017-1000107

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...

Microsoft Edge Charka Failed Re-Parse

Microsoft Edge: Chakra: InterpreterStackFrame::ProcessLinkFailedAsmJsModule incorrectly re-parses CVE-2017-8645 When Chakra fails to link an asmjs module, it tries to re-parse the failed-to-link asmjs function to treat it as a normal javascript function. But it incorrectly handles the case where...

WebKit JSC emitPutDerivedConstructorToArrowFunctionContextScope Incorrect Check Vulnerability

Exploit for multiple platform in category dos / poc WebKit: JSC: incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope CVE-2017-2531 When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContex...

WebKit JSC emitPutDerivedConstructorToArrowFunctionContextScope Incorrect Check

WebKit: JSC: incorrect check in emitPutDerivedConstructorToArrowFunctionContextScope CVE-2017-2531 When a super expression is used in an arrow function, the following code, which generates bytecode, is called. if needsToUpdateArrowFunctionContext && !codeBlock-isArrowFunction bool...

LG G4 MRA58K - mkvparser::Tracks constructor Failure to Initialise Pointers Exploit

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117 Failure to initialise pointers in mkvparser::Tracks constructor The constructor mkvparser::Tracks::Tracks doesn't handle parsing failures correctly. If we look at the function...

LG G4 MRA58K - mkvparser::Tracks constructor Failure to Initialise Pointers

LG G4 MRA58K - mkvparser::Tracks constructor Failure to Initialise Pointers Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117 Failure to initialise pointers in mkvparser::Tracks constructor The constructor mkvparser::Tracks::Tracks doesn't handle parsing failures correctly. I...

Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)

VULNERABILITY DETAILS The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding. create| using the Object. prototype...

Mozilla: Sandbox escape allowing local file system read access (MFSA 2017-12)

A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. This vulnerability affects Firefox ESR 52.1 and Firefox 53...

PoDoFo 'PoDoFo::PdfXObject::PdfXObject' function null pointer reference denial of service vulnerability

PoDoFo is an open source , written in C++ using the PDF file format library . A null pointer reference vulnerability exists in PoDoFo's 'PoDoFo::PdfXObject::PdfXObject' function. Allows a remote attacker to construct a malicious file and trick the user into parsing it, which can crash the...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

Code injection

Unspecified methods in the RACF Connector component before 1.1.1.0 in ForgeRock OpenIDM and OpenICF improperly call the SearchControls constructor with returnObjFlag set to true, which allows remote attackers to execute arbitrary code via a crafted serialized Java object, aka LDAP entry poisoning...

Directory Traversal Through Malformed URI

httpcore5 and httpclient are vulnerable to directory traversal attacks. The vulnerability is possible because the string input by user is not validated for the presence of leading character / and is passed to the constructor as path information...

CVE-2016-9897

Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES. This vulnerability affects Firefox 50.1, Firefox ESR 45.6, and Thunderbird 45.6...

CVE-2016-5171

WebKit/Source/bindings/templates/interface.cpp in Blink, as used in Google Chrome before 53.0.2785.113, does not prevent certain constructor calls, which allows remote attackers to cause a denial of service use-after-free or possibly have unspecified other impact via crafted JavaScript code...

Adobe Flash - Transform.colorTranform Getter Infomation Leak

Adobe Flash - Transform.colorTranform Getter Infomation Leak Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845 There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will...

Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow

Exploit for Android platform in category remote exploits Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=840 There's an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size...

CVE-2016-3836

The SurfaceFlinger service in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 allows attackers to obtain sensitive information via a crafted application, related to lack of a default constructor in include/ui/FrameStats.h, aka internal bug 28592402...

UBUNTU-CVE-2016-3836

The SurfaceFlinger service in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 allows attackers to obtain sensitive information via a crafted application, related to lack of a default constructor in include/ui/FrameStats.h, aka internal bug 28592402...

Adobe Flash - Type Confusion in FileReference Constructor

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799 There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be...

Adobe Flash - Type Confusion in FileReference Constructor

Adobe Flash - Type Confusion in FileReference Constructor Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799 There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If ...