The JavascriptNativeFloatArray::SetItem function does not check the double value given as the parameter. If the double value given as the parameter equals to JavascriptNativeFloatArray::MissingItem, it converts the float array to a var array. This can lead to type confusion.
An attacker can inject malicious JavaScript code into the Status box of the WebSocket Live Chat application, which will be executed when someone opens the profile of the attacker.
There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion.
There is a use-after-free in MovieClip.swapDepths, a POC is as follows: var clip1 = this.createEmptyMovieClip("clip1", 1); var clip2 = this.createEmptyMovieClip("clip2", 2); var n = {valueOf: func, toString: func}; clip1.swapDepths(n); function func(){ clip1.removeMovieClip(); //_root.createEmptyMovieClip("test", 1); trace("here"); return "clip2"; } A swf and fla are attached.
If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker.
An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as). Put attached file BoundlessTunes.swf on the HTTP server. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
There is an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE. The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator. Simplest testcase that will crash in an ASAN build is the following: (?(?<a>)?)
Nuts CMS is vulnerable to php code injection due to improper input validation. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable server with a payload that will be executed on the server.
Authenticated user can execute arbitrary SQL queries via SQL injection in the functionality that allows to publish/unpublish an event.
The code in downloadpdffile.php doesn't do any sanity checks, allowing a remote attacker to download sensitive system files. An attacker can use a curl command to download the file from the server.
Services By CQR