WebKit HTMLSelectElement Use-After-Free Exploit

WebKit use-after-free in HTMLSelectElement There is a use-after-free in HTMLSelectElement. If the length of the HTMLSelectElement is set to a value greater than the existing options length then dummy HTMLOptionElements elements are created. These HTMLOptionsElements are stored as raw pointers in...

Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure

var n = 0; function go document.addEventListener"DOMNodeRemoved", eventhandler; eventhandler; function eventhandler n++; ifn==5 return; //prevent going into an infinite recursion t.defaultValue = "aaaaaaaaaaaaaaaaaaaa"; f.reset; aaa !-- ========================================= This seems to be t...

security flaw

Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service crash and possibly execute arbitrary code via 1 nested tags in a select tag, 2 a DOMNodeRemoved mutation event, 3 "Content-implemented tree views," 4 BoxObjects, 5 the XBL implementation, 6 an ifram...

CVE-2006-2779

CVE-2006-2779 affects Mozilla Firefox and Thunderbird prior to 1.5.0.4. The vulnerability enables memory corruption leading to denial of service (crash) and potential remote code execution via multiple vectors (including nested tags in a select, DOMNodeRemoved mutation events, Content-implemente...

CVE-2006-2779

Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service crash and possibly execute arbitrary code via 1 nested tags in a select tag, 2 a DOMNodeRemoved mutation event, 3 "Content-implemented tree views," 4 BoxObjects, 5 the XBL implementation, 6 an ifram...