30 matches found
CVE-2023-39332
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings see CVE-2023-30584 and Buffer objects see CVE-2023-32004, but not through non-Buffer...
CVE-2023-39332
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings see CVE-2023-30584 and Buffer objects see CVE-2023-32004, but not through non-Buffer...
CVE-2023-39332
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings see CVE-2023-30584 and Buffer objects see CVE-2023-32004, but not through non-Buffer...
Node.js: Path traversal through path stored in Uint8Array
A vulnerability was discovered in Node.js that allowed path traversal through Uint8Array objects. This vulnerability affected users using the experimental permission model in Node.js 20...
Google Chrome - Integer Overflow when Processing WebAssembly Locals
Google Chrome - Integer Overflow when Processing WebAssembly Locals / When v8 decodes the locals of a function, it performs a check: if count + typelist-size kV8MaxWasmFunctionLocals decoder-errordecoder-pc - 1, "local count too large"; return false; On a 32-bit platform, this check can be bypass...
Google Chrome: Integer Overflow when Processing WebAssembly Locals(CVE-2018-6092)
When v8 decodes the locals of a function, it performs a check: if count + typelist-size kV8MaxWasmFunctionLocals decoder-errordecoder-pc - 1, "local count too large"; return false; On a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function loca...
Microsoft Edge Chakra: JIT - OP_Memset Type Confusion
Microsoft Edge Chakra: JIT - OPMemset Type Confusion / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357 function opta, b, v if b.length b0 = ; return 0; ; printb0; main;...
Microsoft Edge Chakra JIT Bailout Generation
Microsoft Edge: Chakra: JIT: Bailouts must be generated for OPMemset CVE-2017-11873 function opta, b, v if b.length b0 = ; return 0; ; printb0; main; This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become...
MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net
In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution. This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger...
Microsoft Edge - TypedArray.sort Use-After-Free (MS16-145)
!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=983 There is a use-after-free in TypedArray.sort. In TypedArrayCompareElementsHelper https://chromium.googlesource.com/external/github.com/Microsoft/ChakraCore/+/TimeTravelDebugging/lib/Runtime/Library/TypedArray.cpp, the...