The vulnerability exists in the ArgumentsEliminationPhase::transform function of V8. Whether or not the 'argumentCountIncludingThis <= varargsData->limit' condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.
The method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data. So, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type. The PoC code creates an array with uninitialized memory and then uses the Array.prototype.concat.apply() method to copy the uninitialized memory to a new array.
The Array.prototype.splice function in JavaScript can be used to trigger an out-of-bounds read. If a garbage collection is triggered before the values in the array are initialized, the garbage collector will refer to the uninitialized values. This can be exploited by creating an array with a large number of elements, and then using the splice function to access the uninitialized values.
At (a), it should flush the scope register of inlineStackEntry->m_codeBlock instead of m_codeBlock. But it doesn't. As a result, the scope register of inlineStackEntry->m_codeBlock may have an incorrect offset in the stack layout phase. The proof-of-concept code provided throws an exception to trigger the vulnerability.
When using the user frontend of the REDDOXX appliance reachable via http://www.example.com/rws/user/, HTTP POST requests are used to perform certain actions. For example, the following request is used to save the settings of the current user's profile. An attacker can use the same request to list directory contents and download arbitrary files from the affected system with root permissions.
The administrative interface of the REDDOXX appliance offers several diagnostic tools in the "Diagnostic Center". Ping is one of these tools. The interface for this tool contains two input fields, which allow users to specify a target host and a packet count. Through the ISO provided on the vendor's homepage, it was possible to analyze how these commands are embedded into the command-line of the ping command. The parameter $parameter->targetHost is not properly sanitized, which allows attackers to inject arbitrary command-line parameters. The following request will execute the command "id" on the appliance: POST /cgi-bin/diag.cgi HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded Content-Length: <length> action=executeDiag&targetHost=127.0.0.1;id The output of the command will be displayed in the web interface.
IPFire, a free linux based open source firewall distribution, version < 2.19 Update Core 110 contains a remote command execution vulnerability in the ids.cgi page in the OINKCODE field.
PaulShop CMS is vulnerable to SQL Injection and Stored XSS. An attacker can inject malicious SQL queries into the 'q' parameter of the search page and inject malicious JavaScript code into the parameters of the member's profile page.
When uploading a file, the FileUploadServlet class does not check the user-controlled fileName parameter using hasVulnerabilityInFileName function. This allows a remote attacker to create a malicious file and place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM.
MAWK (AWK Interpreter) 1.3.3-17 and prior is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Services By CQR