The binding code generator doesn't add checks to ensure that the callback properties of a dictionary are indeed JS functions. This can lead to an attacker being able to inject malicious code into the application.
The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition. Reproduction case involves creating an iframe, cloning a style element, and creating a div element with a filter applied to it. The div element is then cloned and appended to the iframe's body multiple times. This can lead to a UAF condition.
When fuzzing JavaScriptCore, an exploit was discovered which crashes jsc from current HEAD and release. The exploit involves a watchpoint being triggered, followed by a GC which frees the jettisoned CodeBlock. A second watchpoint is then triggered, jettisoning the same CodeBlock again and thus crashing when touching the already freed memory. The exploit also inserts elements into the Array prototype so the first loop runs longer in the second invocation.
Privileged IPC services in userspace often have to verify the security context of their client processes (such as whether the client is sandboxed, has a specific entitlement, or is signed by some code signing authority). This, in turn, requires a way to identify a client process. If PIDs are used for that purpose, the following attack becomes possible: The (unprivileged) client process sends an IPC message to a privileged service, the client process terminates and spawns a privileged process into its PID, the privileged service performs the security check, but since the PID has been reused it performs it on the wrong process. This attack is feasible because the PID space is usually fairly small (e.g. 100000 for XNU) and PIDs can thus be wrapped around relatively quickly (in step 2 or up front). As such, on darwin platforms the recommended way to identify IPC clients for the purpose of performing security checks in userspace is to rely on the audit_token.
A vulnerability in JavaScriptCore allows an attacker to abuse the structure transition cache to gain arbitrary read/write access to memory. The vulnerability occurs when an array prototype chain contains an object with indexed accessors. This causes the engine to switch the indexing mode of all arrays to ArrayWithSlowPutStorage, which allows an attacker to bypass the type inference mechanism and write arbitrary values to memory.
A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects. This can be exploited by creating a JavaScript object with a prototype, then changing the prototype and assigning a new property to the object. The new property is then assigned a value that is the same as the object itself, which causes the type inference information to become inconsistent. This can lead to a crash or other unexpected behavior.
There are no file extension controls on Image Manager. If an authorized user is obtained, it is possible to run a malicious PHP file on the server. The following basic python exploit uploads and executes PHP File for you.
An attacker could run a remote code after an authorized user login using the parameter.
An attacker can access all data following an authorized user login using the parameter. The Proof of Concept (POC) includes three types of SQLi: boolean-based blind, time-based blind, and error-based.
An SQL injection vulnerability exists in iScripts ReserveLogic, which allows an attacker to execute arbitrary SQL commands via the vulnerable parameter jqSearchDestination in a POST request.
Services By CQR