An out-of-bounds read vulnerability was discovered in Firefox. The vulnerability was confirmed on the nightly ASan build. The vulnerability is caused by a heap-buffer-overflow on address 0x611000721ecc at pc 0x7fcef25af0e8 bp 0x7ffc23afd1b0 sp 0x7ffc23afd1a8 when a READ of size 4 is attempted at 0x611000721ecc. The vulnerability is triggered when the function IsSimpleGlyph in gfxFont.h is called, which is then called by GetAdvanceForGlyph in gfxTextRun.h, which is then called by GetAdvanceForGlyphs in gfxTextRun.cpp, which is then called by gfxTextRun::GetAdvanceWidth in gfxTextRun.cpp, which is then called by nsTextFrame::TrimTrailingWhiteSpace in nsTextFrame.cpp, which is then called by nsTextFrame::Reflow in nsTextFrame.cpp.
When an object element loads a JavaScript URL(e.g., javascript:alert(1)), it checks whether it violates the Same Origin Policy or not. The SOP violation check is made in the method HTMLPlugInImageElement::allowedToLoadFrameURL. What was noticed is that there are two uses of document().completeURL for the same URL, and the method guardedDispatchBeforeLoadEvent dispatches a beforeload event. The beforeload event is dispatched before the SOP check, so a malicious page can set the URL of the object element to a javascript: URL, and then set window.event.url to a different URL in the beforeload handler, bypassing the SOP check.
The FrameLoader::clear() function is called when page navigation is made and it does not properly attach the new window object due to a |m_needsClear| check. This allows an attacker to inject a script into a page from another origin, which can be used to steal sensitive information.
This vulnerability is a use-after-free vulnerability in the CachedFrameBase::restore method. The vulnerability occurs when the open method is called in the iteration, the next child frame is attached to the parent frame holding the replaced document. This can be exploited by creating two iframes and navigating the first iframe to a malicious page which will close itself after the document is replaced. The second iframe will then be able to access the replaced document, allowing an attacker to execute arbitrary code.
The vulnerability exists in the ContainerNode.cpp parserInsertBefore() function, which can be exploited to bypass the frame restrictions and allow an attacker to run script. This can be done by calling the parserRemoveChild() function, which can remove the nextChild node from the DOM or move the node around, resulting in an inconsistent state after the insertBeforeCommon() call.
This vulnerability is caused by the lack of proper sanitization of user-supplied input in the ContainerNode::parserRemoveChild function. This allows an attacker to inject malicious code into the application, which can be used to execute arbitrary JavaScript code in the context of the application. The attacker can also use this vulnerability to bypass the same-origin policy and gain access to sensitive data.
This vulnerability is a use-after-free vulnerability in the Editor::Command::execute method. This method is invoked under an EventQueueScope, but updateLayoutIgnorePendingStylesheets invokes MediaQueryMatcher::styleResolverChanged that directly calls handleEvent not affected by EventQueueScope. This can lead to firing of javascript handlers, which can be used to replace the document and execute m_command on the new document's focused element. The PoC also triggers a UAF, so it is recommended to test it on a release build.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities catalogued by Symantec as of 2007. Their effect may range from a minor annoyance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
ETERNALRED is a remote code execution vulnerability in Samba versions 3.5.0 to 4.5.4, 4.5.10 and 4.4.14. It allows an attacker to upload a shared library to a writable share, and then cause the server to load and execute it.
Dup Scout Enterprise v9.7.18 is vulnerable to a buffer overflow vulnerability when importing a maliciously crafted XML file. The vulnerability is caused due to a boundary error when copying user-supplied data into a fixed-length stack buffer. This can be exploited to cause a stack-based buffer overflow via a specially crafted XML file.
Services By CQR