Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

6 matches found

0day.today
0day.todayadded 2018/12/13 12:0 a.m.51 views

WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains Exploit

didBecomePrototype; if structurevm-hasMonoProto DeferredStructureTransitionWatchpointFire deferredvm, structurevm; Structure newStructure = Structure::changePrototypeTransitionvm, structurevm, prototype, deferred; setStructurevm, newStructure; else putDirectvm, knownPolyProtoOffset, prototype; if...

8.8CVSS0.2AI score0.22555EPSS
Exploits2
Exploit DB
Exploit DBadded 2018/10/09 12:0 a.m.97 views

Microsoft Edge Chakra JIT - Type Confusion

/ The switch statement only handles Js::TypeIdsArray but not Js::TypeIdsNativeIntArray and Js::TypeIdsNativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where "objValueType.IsLikelyArrayOrObjectWithArray" is not...

7.4AI score
Exploits0
exploitpack
exploitpackadded 2018/02/15 12:0 a.m.19 views

Microsoft Edge Chakra JIT - Array.prototype.reverse Array Type Confusion

Microsoft Edge Chakra JIT - Array.prototype.reverse Array Type Confusion / This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var array. Call...

0.3AI score
Exploits0
Exploit DB
Exploit DBadded 2018/02/15 12:0 a.m.34 views

Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion

/ This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var array. Call flow: JavascriptArray::EntryReverse - FillFromPrototypes -...

7.4AI score
Exploits0
0day.today
0day.todayadded 2018/02/15 12:0 a.m.25 views

Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions Exploit

Exploit for windows platform in category dos / poc / If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method. In the JIT compiler, it uses InitProto instructions to set object literals' prototype. But when optimizing...

7.5AI score0.78098EPSS
Exploits15
exploitpack
exploitpackadded 2018/02/15 12:0 a.m.12 views

Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions

Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions / If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method. In the JIT compiler, it uses InitProto instructions to set object literals' prototyp...

0.8AI score
Exploits0
Rows per page
Query Builder