The fix Ubuntu applied to address the Ghostscript vulnerability identified in CVE-2018-16510 appears to be insufficient.
0ac0bf39a81253812182b1698273af4235df1fa484a59f5032b8a187be3fe340
Ghostscript has an issues where callers of a procedure are not forced to be properly marked as executeonly or pseudo-operators, allowing for the ability to take complete control of it.
c212335a3050997bb3269410331972bd215ee205ac25561281f6b950ad7bb670
Ghostscript suffers from an issue where .loadfontloop exposes system operators in the saved execution stack.
f56f6e290aa802089d31f8990302cc11931c689380900d290b6f5d35582d007b
Ghostscript suffers from an executeonly bypass with errorhandler setup.
227c5b9392a6f42cf0122d15af332350cf1583e4b26a4c958b0863f5133bbb38
gsview does not run -dSAFER, allowing for the execution of arbitrary code.
6a94b056b7d504ce2307bdccc8d5e12f15fcf4dca1e0b3b87b1b2cb5cbff9723
Ghostscript has an issue where an error object can expose system operators in the saved execution stack.
dcb624d6a7e684d9f9b8d63bc29a62e9a0cef57276d16e3a9b3f918f9d52cdba
This Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.
9a18d75e03ae94b3478787aa8898389327fe3597f03bcf6872c9a239283731ae
Ghostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.
373c0403a315de2cc28e94cb3d59abdc4fd65812e918d37aaa7564368a57973a
FromDocToPdf exposes browsing history to all websites.
d7f71fcc058ac2ac713d8c08d38d49fb58106fe0ebb0890f7dc2caf14ad47d76
The Video Downloader Chrome extension suffers from a universal cross site scripting vulnerability.
b5da74f181d1f9d011fafbb0bdf6621ecd124de93f2688457aaf9d1ad4cce81f
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.
866ac744c655ede9c376e4a47945a3a0e64a8cdb089b30ec2822adfef9bb9512
Torrent file parsing in libtransmission suffers from overflow vulnerabilities.
54ad18d8336156df7524e96c3d9da8e72a4e6da0788daef159edd65d3ca2b6b4
This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
01b8bf4ffa026e722d143beb159ab4a57e3e4542e56046a209e14abce7657161
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.
9a6bdfa99ad597fe9f9517dd0f8bdc9cdeba67fff5dacc64d849ac9bf5bfbfed
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.
79d3dcb40544179ef2c545514e54b7352e225d51c57c720672f33d1b717c00e5
The Grammarly chrome extension (approximately ~20M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.
38a9c89eebeb3e6644a94f0e937ee633297f223f24e55bd0ad56fef9c72d79e0
This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
9c651a9002f5646905fcb8abdec1552897cd260c341ec403e60727c2cf691713
Blizzard's agent rpc authentication mechanism is vulnerable to DNS rebinding attacks.
01e7bdf4703d545404b5ea8d6c13d0e9fc1c4e0a98a205904426f38fbc152873
The Transmission bittorrent client suffers from an RPC session-id mechanism design flaw.
eb5116fc215d9b67c48fcbe0240a784bca401f22dcc20bf7faa2ae78c70be6d1
A Microsoft Windows win32k vulnerability has been discovered where using SetClassLong to switch between CS_CLASSDC and CS_OWNDC corrupts DC cache.
d07a83757124fecff65bbde70f529b29553e02b3ecba86891ac3d31b9a1e3f28
Microsoft Windows 10 is forcibly installing the Keeper password manager which injects privileged UI's into pages.
ae83b2f7f72326bf46c86779b3f209ce03d065a4da2267e20c685c1f25425281
Various GPC Sanitization bypasses exist in Cisco WebEx that can permit from arbitrary remote command execution.
2742e774481d9cd4f1486925a8d6d0f5cd50b3e1c50f16db34aa9fee06887044
The Microsoft MsMpEng mpengine x86 emulator suffers from a heap corruption vulnerability in VFS API.
46362a2418387131b284b6f99ffbd92b63a52b28cf6850b31bc0119ebc171b9f
This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
467d157dc1bbf3f036cc0f63f280fa7c6781fd91ca452708aab53393895c5ba1
Microsoft MsMpEng suffers from multiple privilege escalation vulnerabilities.
b57fb4337aa82768637ff7b8efdf2fef6727f821ca5bfd34a0c7ad06e2c615e7