CVE-2019-5426

CVE-2019-5426 affects Ubiquiti Networks EdgeSwitch X (v1.1.0 and prior). The vulnerability allows an unauthenticated remote user to use local port forwarding and dynamic port forwarding (SOCKS proxy) functionality to access local services or forward traffic through the device if SSH is enabled. T...

GitLab: Stored XSS in Wiki pages

Summary I found Stored XSS using Wiki-specific Hierarchical link Markdown in Wiki pages. Steps to reproduce 1. Sign in to GitLab. 2. Open a Project page that you have permission to edit Wiki pages. 3. Open Wiki page. 4. Click "New page" button. 5. Fill out "Page slug" form with javascript:. 6...

WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion

/ Prerequisites ------------- In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored e.g. unboxed double or JSValues. Whenever a property is added to an object or some...

WebKit JavaScriptCore - createRegExpMatchesArray Type Confusion

WebKit JavaScriptCore - createRegExpMatchesArray Type Confusion / Prerequisites ------------- In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored e.g. unboxed double...

WebKit JavaScriptCore - createRegExpMatchesArray Type Confusion Exploit

/ Prerequisites ------------- In JavaScriptCore, JSObjects have an associated Structure: an object describing various aspects of the JSObject such as its type, its properties, and the type of elements being stored e.g. unboxed double or JSValues. Whenever a property is added to an object or some...

PuTTY < 0.71 Multiple Vulnerabilities

The remote host has a version of PuTTY installed that is prior to 0.71. It is, therefore, affected by multiple vulnerabilities including: - A remotely triggerable buffer overflow in any kind of server-to-client forwarding. CVE-2019-9895 - Potential recycling of random numbers used in cryptography...

Nextcloud: [Reflected XSS] In Request URL

In index.php file on 1765 we can see XSS: " Because NextCloud allow links like: '/index.php/ANYCONTENT' If we will do request like: POST /updater/index.php/h"alert1; HTTP/1.1 Host: vulns.local Content-Type: application/x-www-form-urlencoded Content-Length: 33 updater-secret-input=OURSECRET We wil...

CVE-2019-9960

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path. Bugs...

SUSE-SU-2018:3032-2 Security update for the Linux Kernel

The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive a security fix. The following security bug was fixed: - CVE-2018-17182: The vmacacheflushall function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free and possibly gain privileges vi...

Zomato: [api.zomato.com] Able to manipulate order amount

@pasw discovered an interesting find where he was able to manipulate the order amount. This was a creative find and we rewarded @pasw with double bounty + promotional bonus of $2,500...

WordPress Blog2Social plugin CVE-2019-9576 XSS

Description The Blog2Social WordPress plugin is vulnerable to reflected XSS as it echoes the b2supdatepublishdate parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn...

Android - binder Use-After-Free via racy Initialization of -allow_user_free

Android - binder Use-After-Free via racy Initialization of -allowuserfree The following bug report solely looks at the situation on the upstream master branch; while from a cursory look, at least the wahoo kernel also looks affected, I have only properly tested this on upstream master. The binder...

kimageformats/kimgio_fuzzer: Crash in qt_blend_rgb32_on_rgb32_sse2

Project: git://anongit.kde.org/kimageformats Detailed report: https://oss-fuzz.com/testcase?key=5660323237855232 Project: kimageformats Fuzzer: aflkimageformatskimgiofuzzer Fuzz target binary: kimgiofuzzer Job Type: aflasankimageformats Platform Id: linux Crash Type: UNKNOWN READ Crash Address:...

Internet Bug Bounty: phar_tar_writeheaders_int() buffer overflow

A buffer overflow has been found in the phartarwriteheadersint function. it does a strncpy to header-linkname from entry-link with the size of entry-link. As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.hL66 , header-linkname is a char of the size 100. Once entry-link...

macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image

XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might be...

DEBIAN-CVE-2018-12390

Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects...

CVE-2019-8347

CVE-2019-8347 : BEESCMS 4.0 contains a CSRF vulnerability that enables an attacker to add arbitrary VIP accounts through the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI. The connected sources confirm the issue as a CSRF flaw, enabling account creation without proper us...

Node.js third-party modules: [url-parse] Improper Validation and Sanitization

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report Improper...

CVE-2019-5596

CVE-2019-5596 affects FreeBSD 11.2-STABLE after r338618 and before r343786, and 12.0-STABLE before r343781 and 12.0-RELEASE before 12.0-RELEASE-p3. Description: a bug in the reference count handling for UNIX-domain sockets can cause the kernel to incorrectly release a file structure, enabling a l...

macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File

/ XNU has various interfaces that permit creating copy-on-write copies of data between processes, including out-of-line message descriptors in mach messages. It is important that the copied memory is protected against later modifications by the source process; otherwise, the source process might ...