Project Zero Bug Tracker
Qualcomm Adreno/KGSL: unchecked cast of vma->vm_file->private_data in kgsl_setup_dmabuf_useraddr()
Project Zero Bug Tracker
Qualcomm Adreno/KGSL: pages can be freed to page pool while having GPU references [on !CONFIG_QCOM_KGSL_USE_SHMEM]
Google Online Security Blog
Adding Chrome Browser Cloud Management remediation actions in Splunk using Alert Actions
Posted by Ashish Pujari, Chrome Security Team Introduction Chrome is trusted by millions of business users as a secure enterprise brow...
Synacktiv
Exploring Android Heap allocations in jemalloc 'new'
When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allo
GitLab - HackerOne
high - Stored XSS in merge request pages (3500.00USD)
Hello Gitlab! [Vulnerable code](https://gitlab.com/gitlab-org/gitlab/blob/9d81e97d9d111f874799605ce50ae480ae15b0c5/app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_rebase.vue#L47) To reproduce the bug, we need to open a merge request with the following conditions: 1. Project must have 'Merge commit with semi-linear history' or 'Fast-forward merge' merge method 2....
NCC Group Research Blog
Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
Introduction Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices
research.securitum.com
XSS in WordPress via open embed auto discovery
Introduction Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires ...
Google Online Security Blog
Time to challenge yourself in the 2023 Google CTF!
The latest news and insights from Google on security and safety on the Internet
talosintelligence.com
Mitsubishi Electric Corporation MELSEC iQ-F FX5U MELSOFT Direct memory corruption vulnerability
Discovered by Matt Wiseman of Cisco Talos. SUMMARY A memory corruption vulnerability exists in the MELSOFT Direct functionality of Mitsubishi Electric Corporation MELSEC iQ-F FX5U v1.240 and v1.260...
Google Online Security Blog
Google Trust Services ACME API available to all users at no cost
David Kluge, Technical Program Manager, and Andy Warner, Product Manager Nobody likes preventable site errors, but they happen disappointing...
Zero Day Initiative
Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight
During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. Part of Pwn2Own competitions inv
CVE-2022-3723: Logic Issue in Turbofan JIT Compiler
Information about 0-days exploited in-the-wild!
Kubernetes - HackerOne
high - Bypass validation parts in AWS IAM Authenticator for Kubernetes (2500.00USD)
## Summary: Whenever the aws-iam-authenticator server gets a POST request to /authenticate it extracts the token and validates it. The token's content is a signed AWS STS request to the GetCallerIdentity endpoint, where the response content is used to map to matching K8s identity (username, groups). I found several bypasses to validation parts in [AWS IAM...
Google Online Security Blog
Announcing the launch of GUAC v0.1
Brandon Lum and Mihai Maruseac, Google Open Source Security Team Today, we are announcing the launch of the v0.1 version of Graph for Unders...
Google Online Security Blog
How the Chrome Root Program Keeps Users Safe
Posted by Chrome Root Program, Chrome Security Team What is the Chrome Root Program? A root program is one of the foundations for se...
Praetorian
Content Discovery: Understanding Your Web Attack Surface
An optimized content discovery phase involves crawling and brute forcing the attack surface while balancing depth, cost, and detection risk.
Praetorian
In Brief: Chariot Alignment with FDA Section 524B.1
Chariot offers a simple solution for medical device manufacturers to conduct the ongoing postmarket monitoring that Section 524B.1 requires.
www-users.cs.umn.edu
Practical Program Modularization with Type-Based Dependence Analysis
%PDF-1.5 % 143 0 obj << /Length 5046 /Filter /FlateDecode >> stream x;]z:Me% ls(3bLZ_E'h4 `y |xH%Ho7ydiIs"~ b{dcA]&...
goshawk.code-analysis.org
Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis
Goshawk: Hunting Memory Corruptions via Structure-Aware and Object-Centric Memory Operation Synopsis 1. Introduction Goshawk is an automated memory corruption bug detection system, which first auto...
CVE-2022-41073: Windows Activation Contexts EoP
Information about 0-days exploited in-the-wild!
Zero Day Initiative
CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver
This post covers an exploit chain demonstrated by Nguyn Hong Thch ( @hi_im_d4rkn3ss ) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest , he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS t
Reddit - HackerOne
critical - HTML injection in API response including request url
Hi Reddit , I found a way to distribute, persist & store Illegal images such as child porn , beheadings on reddit and in plain sight . I can also store & distribute xml ,json data eg illegal links . I can also store & communicate illegal instructions aka terrorist messages in html and plain text. This hack also bypasses all security related to detecting illegal messages &...
Reddit - HackerOne
critical - read and message other user's messages
go to your account's chat page, stop the request and change the reddit session parameter, now leave the request and you will be able to access the test account's chat screen send the request to the repeater change the reddit session parameter and send it then you will see the return result is 200 show reply in browser and copy and paste the address into your browser you will access the chat...
Reddit - HackerOne
high - [accounts.reddit.com] Redirect parameter allows for XSS (5000.00USD)
## Summary: Hello team! I was tampering with the dest parameter in accounts.reddit.com and found out it is vulnerable to Cross Site Scripting once the victim performs the log in. ## Steps To Reproduce: 1. Enter to the following link: ```https://accounts.reddit.com/?dest=javascript:alert(document.domain)``` - If not signed in, the user will be promped to log in and after doing so XSS will...
Google Online Security Blog
New Android & Google Device Vulnerability Reward Program Initiatives
Posted by Sarah Jacobus, Vulnerability Rewards Team As technology continues to advance, so do efforts by cybercriminals who look to explo...
pi3 blog
pi3
Bug bounties are broken – the story of “i915” bug, ChromeOS + Intel bounty programs, and beyond
Bug bounties are broken the story of i915 bug, ChromeOS + Intel bounty programs, and beyond : pi3 blog
Google Online Security Blog
$22k awarded to SBFT ‘23 fuzzing competition winners
Dongge Liu, Jonathan Metzman and Oliver Chang, Google Open Source Security Team Googles Open Source Security Team recently sponsored a fuzz...
Synacktiv
The printer goes brrrrr, again!
For the second time at Pwn2Own competition, network printers have been featured in Toronto 2022.
Google Online Security Blog
Introducing a new way to buzz for eBPF vulnerabilities
Juan Jos Lpez Jaimez, Security Researcher and Meador Inge, Security Engineer Today, we are announcing Buzzer , a new eBPF Fuzzing framewor...
MDSec
Nighthawk 0.2.4 – Taking Out The Trash
May 2nd 2023 Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4. Our last Nighthawk public post was for our 0.2.1 release in...
Project Zero Bug Tracker
Shannon Baseband: Negative-size memcpy and oob read when decoding SIP multipart messages
Project Zero Bug Tracker
Shannon Baseband: Stack buffer overflow when decoding SIP Min-SE header
Project Zero Bug Tracker
Shannon Baseband: Stack buffer overflow when decoding SIP Session-Expires header
Project Zero Bug Tracker
Shannon Baseband: Stack buffer overflow when decoding SIP status line
Project Zero Bug Tracker
Shannon Baseband: Heap buffer overflow when decoding SIP Retry-After header
Project Zero Bug Tracker
Shannon Baseband: Stack buffer overflow in SIP URI decoder
Project Zero Bug Tracker
Shannon Baseband: Stack buffer overflow in SIP Via header decoder
Project Zero Bug Tracker
Windows Kernel out-of-bounds reads when operating on invalid registry paths in CmpDoReDoCreateKey/CmpDoReOpenTransKey
Project Zero Bug Tracker
Windows Kernel disclosure of kernel pointers and uninitialized memory through registry KTM transaction log files
Project Zero Bug Tracker
Windows Kernel CmpCleanupLightWeightPrepare registry security descriptor refcount leak leading to UAF
Google Online Security Blog
I/O 2023: What's new in Android security and privacy
Posted by Ronnie Falcon, Product Manager Android is built with multiple layers of security and privacy protections to help keep you, your...
IBM - HackerOne
critical - Subdomain Takeover Affecting at vex.weather.com
Hi @gdattacker Improper Authentication was discovered and reported to IBM, analyzed and has been remediated. Thank you to our external researcher.
Mattermost - HackerOne
high - Reset password link sent over unsecured http protocol (750.00USD)
## Summary: After creating the workspace, if victim clicks on forgot password then reset password link has been generated and sent over mail and that password link is unsecured http protocol. ## Steps To Reproduce: 1. Signup to a workspace 2. Navigate to https://h1-\*your-own-instance\*.cloud.mattermost.com/reset_password and enter signup email 3. Check email, you will get reset...
Brave Software - HackerOne
high - download file type warning on Windows does not appear if "ask where to save file before downloading" setting is enabled (500.00USD)
It was discovered that the "Ask where to save each file before downloading" setting disables the potentially-malicious file type warning for downloads in Brave. This behavior is also present in Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=1410578.
talosintelligence.com
Weston Embedded uC-FTPs Authentication authentication bypass vulnerability
Discovered by Kelly Leuschner of Cisco Talos. SUMMARY An authentication bypass vulnerability exists in the Authentication functionality of Weston Embedded uC-FTPs v 1.98.00. A specially crafted set...
Assetnote
Bypass IIS Authorisation with this One Weird Trick - Three RCEs and Two Auth Bypasses in Sitecore 9.3
Application security issues found by Assetnote
talosintelligence.com
Weston Embedded uC-FTPs PORT command parameter extraction out-of-bounds read vulnerability
Discovered by Kelly Leuschner of Cisco Talos. SUMMARY An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A speci...
Rocket.Chat - HackerOne
high - NoSQL injection in listEmojiCustom method call
A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact.
Rocket.Chat - HackerOne
high - Moving private messages into vision with updateMessage method
A vulnerability has been discovered in the updateMessage Meteor Method, allowing adversaries to edit messages without proper authorization. This occurs due to insufficient permission checks for the "rid" parameter. Attackers can exploit this issue to leak private messages with known message IDs.
The GitHub Blog
How to fix a ReDoS
Code scanning detects ReDoS vulnerabilities automatically, but fixing them isnt always easy. This blog post describes a 4-step strategy for fixing ReDoS bugs.