50 matches found
nanoid 代码问题漏洞
nanoid is a small, secure, URL-friendly, unique string ID generator for JavaScript. nanoid is vulnerable, stemming from nanoid's vulnerability to information exposure via the valueOf function, which allows the last generated id to be reproduced. no details of the vulnerability are currently...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the valueOf function which allows to reproduce the last id generated. PoC javascript import nanoid from 'nanoid'; const makeProxyNumberToReproducePreviousID = = let step = 0; return valueOf // // if !pool ||...
Cross-site Scripting (XSS)
Mozilla Firefox and Thunderbird is vulnerable to cross-site scripting XSS. The use of valueOf method to shadow the location object window.location is not prevented, allowing for remote attackers to inject arbitrary Javascript into a victim's web browser via a malicious plugin...
Microsoft Edge: Use-after-free in TypedArray.sort(CVE-2016-7288)
There is a use-after-free in the TypedArray. sort. In TypedArrayCompareElementsHelper https://chromium.googlesource.com/external/github.com/Microsoft/ChakraCore/+/TimeTravelDebugging/lib/Runtime/Library/TypedArray.cpp, the comparison function is called with the following code: Var retVal =...
Adobe Flash MovieClip.startDrag - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=592 There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used. A minimal POC...
Adobe Flash MovieClip.attachMovie - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=571 There is a use-after-free in MovieClip.attachMovie. If a string parameter has toString defined, a number parameter has valueOf defined or an object parameter has its constructor redefined, it can execute code and free...
Adobe Flash Selection.SetSelection - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=590 There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used...
Adobe Flash TextField.tabIndex Setter - Use-After-Free
Exploit for windows platform in category dos / poc Source: https://code.google.com/p/google-security-research/issues/detail?id=574 There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leadi...
Adobe Flash TextField.thickness Setter - Use-After-Free
Adobe Flash TextField.thickness Setter - Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=587 There is a use-after-free in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField...
Adobe Flash TextField.tabIndex Setter - Use-After-Free
Source: https://code.google.com/p/google-security-research/issues/detail?id=574 There is a use-after-free in the TextField.tabIndex setter. If the integer parameter is an object with valueOf defined, then it can free the TextField's parent, leading to a use-after-free. A minimal PoC follows: var...
lib32-flashplugin: arbitrary code execution
CVE-2015-5122 arbitrary code execution Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 AS3 implementation allows remote attackers to execute arbitrary code or cause a denial of service memory corruption via crafted Flash content that leverages improper handling of...
Adobe Flash Player ActionScript 3 Memory Misreference Vulnerability
Adobe Flash Player is a cross-platform, browser-based multimedia player product from Adobe. The product supports cross-screen and browser viewing of applications, content and videos. A memory misreference vulnerability exists in the 'ByteArray' class in the ActionScript 3 AS3 implementation of...
PT-2015-1512 · Adobe +3 · Flash Player +3
Name of the Vulnerable Software and Affected Versions: Adobe Flash Player versions 11.x through 11.2.202.481 Adobe Flash Player versions 12.x through 18.0.0.204 Adobe Flash Player versions 13.x through 13.0.0.302 Adobe Flash Player versions 14.x through 18.0.0.203 Description: The issue is relate...
UBUNTU-CVE-2015-5119
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 AS3 implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of...
Design/Logic Flaw
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 AS3 implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of...
CVE-2015-5119
Use-after-free vulnerability in the ByteArray class in the ActionScript 3 AS3 implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of...
Adobe Flash ActionScript ByteArray Buffer UAF 代码执行
Vulcan 在第一时间进行了分析, 下面都是基于该报告1进行说明:漏洞的形成原因是 Clasz 类型给 ByteArray 类型赋值时调用 valueOf 函数过程中 buffer 使用不当,从而造成 Use After Free 漏洞。forvar i:int; i alen; i+=3 ai = new Class2i; ai+1 = new ByteArray; // 这里产生 ByteArray 类型数据 ai+1.length = 0xfa0; // 这里将 ByteArray 类型数据的初始长度设置为 0xfa0 // 进入 Adobe Flash Player 之后...
Unsafe Object Deserialization
Overview Affected versions of this package are vulnerable to Unsafe Object Deserialization. POC The exploitable code: js hasOwnProperty.constructor.prototype.valueOf = valueOf.call; "a", "alert1".sorthasOwnProperty.constructor; The exploit: - 1. Array.sort takes a comparison function and passes i...
Mozilla: XrayWrappers can be bypassed to run user defined methods in a privileged context (MFSA 2013-59)
The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with...
Mozilla: XrayWrappers can be bypassed to run user defined methods in a privileged context (MFSA 2013-59)
The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with...