CVE-2018-19198

An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery or uriComposeQueryEx function because the '&' character is mishandled in certain contexts...

systemd - 'reexec' State Injection

/ I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.mdsecurity-vulnerability-reports . When systemd re-executes e.g. during a package upgrade, state is serialized into a memfd before the execv...

radare2/ia_fuzz: Heap-buffer-overflow in store_versioninfo_gnu_versym

Project: https://github.com/radare/radare2.git Detailed report: https://oss-fuzz.com/testcase?key=5703341781811200 Project: radare2 Fuzzer: aflradare2iafuzz Fuzz target binary: iafuzz Job Type: aflasanradare2 Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash Address: 0x61a000017908...

Linux systemd Symlink Dereference Via chown_one() Exploit

Linux suffers from an issue with systemd where chownone can dereference symlinks. systemd: chownone can dereference symlinks CVE-2018-15687 I am sending this bug report to Ubuntu, even though it's an upstream bug, as requested at...

ghostscript - executeonly Bypass with errorhandler Setup Exploit

Exploit for linux platform in category local exploits While documenting bug 1675, I noticed another problem with errordict in ghostscript. Full working exploit that works in the last few versions is attached, viewing it in evince, imagemagick, gimp, okular, etc should add a line to /.bashrc...

bibliothequekandinsky.centrepompidou.fr XSS vulnerability

Open Bug Bounty ID: OBB-683193 Description| Value ---|--- Affected Website:| bibliothequekandinsky.centrepompidou.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-7...

Facebook Security Bug Affects 90M Users

Facebook said today some 90 million of its users may get forcibly logged out of their accounts after the company fixed a rather glaring security vulnerability in its Web site that may have let attackers hijack user profiles. In a short blog post published this afternoon, Facebook said hackers hav...

UBUNTU-CVE-2018-17082

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the phphandler function in sapi/apache2handler/sapiapache2.c...

skia/region_set_path: Heap-buffer-overflow in SkRgnBuilder::blitH

Project: https://skia.googlesource.com/skia.git Detailed report: https://oss-fuzz.com/testcase?key=5762773770829824 Project: skia Fuzzer: aflskiaregionsetpath Fuzz target binary: regionsetpath Job Type: aflasanskia Platform Id: linux Crash Type: Heap-buffer-overflow WRITE 4 Crash Address:...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: patches/packages/php-5.6.38-i586-1slack14.2.txz: Upgraded. One security bug has been fixed in this release: Apache2: XSS due to the header...

Android - 'zygote->init;' Chain from USB Privilege Escalation

After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583 Android ID 80436257, CVE-2018-9445, I discovered that this issue could also be used to inject code into the context of the zygote. Additionally, I discovered a privilege escalation path from zygote to init; that...

RHEL 7 : collectd (RHSA-2018:2615)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2615 advisory. collectd is a host-based system statistics collection daemon that gathers metrics from various sources periodically, such as the operating...

Moderate: Red Hat Security Advisory: collectd security update

An update for collectd is now available for Red Hat Gluster Storage 3.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availab...

glib/fuzz_variant_text: Use-of-uninitialized-value in token_stream_prepare

Detailed report: https://oss-fuzz.com/testcase?key=5190924467437568 Project: glib Fuzzer: libFuzzerglibfuzzvarianttext Fuzz target binary: fuzzvarianttext Job Type: libfuzzermsanglib Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: tokenstreamprepare...

camaramirimdoce.sc.gov.br XSS vulnerability

Open Bug Bounty ID: OBB-669127 Description| Value ---|--- Affected Website:| camaramirimdoce.sc.gov.br Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

CVE-2018-15494

In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid...

unrar/unrar_fuzzer: Crash in __msan_memcpy.part.51

Project: https://github.com/aawc/unrar.git Detailed report: https://oss-fuzz.com/testcase?key=5766983634124800 Project: unrar Fuzzer: libFuzzerunrarfuzzer Fuzz target binary: unrarfuzzer Job Type: libfuzzermsanunrar Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x72ffffffffe0 Crash...

ww2.jobscale.com XSS vulnerability

Open Bug Bounty ID: OBB-662569 Description| Value ---|--- Affected Website:| ww2.jobscale.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Monero: Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop

Summary: An unsanitized getrandomrctouts.bin rpc request can cause the rpc handler to go into an effectively infinite-loop, peg the cpu, and block other requests from completing. Description: The rpc endpoint /getrandomrctouts.bin takes a uint64 outscount as input and will return that many random...

Node.js third-party modules: Code Injection Vulnerability in dot Package

I would like to report a code injection vulnerability in dot. It allows attackers to execute arbitrary JS code, especially when combined with a prototype pollution attack. Module module name: dot version: 1.1.2 npm page: https://www.npmjs.com/package/dot Module Description Created in search of th...