There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
deac9cd1e6753834b079b602c10a506a085746a6093d25bcb66aa97015e0c366There is a use-after-free in jscript.dll library that can be exploited in IE11.
532b95f0c945c3c74db85cabef11747d21ad3c48fe54f0e7aa07150204b08455There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
99d64f82c3d7bf075a7abe383e8584579a9d5eb097d044428f5817c78c478888There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors.
d5005d70833db3288d6f3582bebbc45f33bc2b359d5ffcd7ebdfc34a9678b7c2There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
2ca8e665341886d4eb124c000b6d3ba9945621bca1bec2303b4938cb4e8e9611Chakra suffers from a CFG bypass by overwriting JavaScript bytecode.
daeedb6b41591772a884afa12e566a242f6e1b0d3ee1312f4e2dfdeff93e89ebCharka suffers from a CFG bypass due to a bug in ServerFreeAllocation.
3d19e7cbedb472d2428edd6222fbd45a4c7b0fc67382167d792c513a4d2719d5Chakra suffers from a CFG bypass with leafInterpreterFrame. Every JavaScript variable in Chakra (except a tagged int) is a pointer. From this pointer, using an arbitrary read, it is possible to follow a chain of pointers and end up with a pointer to the native stack. This allows disclosing the stack location and subsequently overwriting a return address on the stack leading to CFG bypass.
e0fbcd6d6c6068eeac50241aac0d32bd46ce7a53f66113cb469ea260e17d8537WebKit suffers from a use-after-free vulnerability in WebCore::FormSubmission::create.
c2e26605ef8814643236d5f9d97cb4faad8aeb808f52594ca616c0d971826d8aWebKit suffers from a use-after-free vulnerability in WebCore::RenderObject::previousSibling.
8a278fe1a01bed0f7b17ac6fcc4317b1168ac683975a217d23d0e3a903eea3eaWebKit suffers from a use-after-free vulnerability in WebCore::DocumentLoader::frameLoader.
f6596283db934d92384dd48f38e36757c9cab5b6ca671329f22f9f48e1aca7bcWebKit suffers from a use-after-free vulnerability in WebCore::Style::TreeResolver::styleForElement.
ea5990dbcd10f10220871583d7e4a8f64595578bfb2375ec0419820b0ad1e27dWebKit suffers from an out-of-bounds read in WebCore::SVGPatternElement::collectPatternAttributes.
a134d05e2659242ae6b08570b4062d0b03e9ec5b249c75b9adedd8e9d69fdb0aWebKit suffers from an out-of-bounds read in WebCore::SimpleLineLayout::RunResolver::runForPoint.
7f0b76853cb76566efef7ad4bbe91c9b1977f8a050e942ee1915da7aaa16182dWebKit suffers from an out-of-bounds read in WebCore::RenderText::localCaretRect.
d2bf26a53165b570a6f5bd7f1fb66d35b7d3557d70deadf09f219c638ad86390There is a use-after-free security vulnerability in WebCore::AXObjectCache::performDeferredCacheUpdate in WebKit.
62c0de0a642ecdcec245a8979e15e6e5eae034411bc424e6de622292cdf7d05dThere is a use-after-free security vulnerability in WebCore::PositionIterator::decrement in WebKit.
217896fe315974d6577ecc8038ef7d0482b7caa767addabaa181135a8707de87There is a use-after-free security vulnerability in WebCore::InputType::element in WebKit.
9a6ded12652b60c99c885a3f11eb3a8a7fd2b0c6515de6074753cec8628787a6There is a use-after-free security vulnerability in WebCore::TreeScope::documentScope in WebKit.
3105ce149b3a63d509b7533ead0fa793978656a94530db60af67ab8b9675497fMicrosoft Internet Explorer 11 suffers from a use-after-free vulnerability in jscript!JsErrorToString.
b68b161a3b42e7a725d37eb0375faba5d57699ba45d34baf650b120307b35284There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the server has finished sending the document. It is also possible that some JavaScript code is going to trigger. By making DOM modifications before the document had a chance of fully loading, followed by another set of DOM modifications after the page has been loaded, it is possible to trigger memory corruption that could possibly lead to an exploitable condition.
5907d1f5e11d78ce0680fb433a3f355dee6f8223e8d01f9b8f025438c5f23e93There is an out-of-bounds read issue in Microsoft Edge that could potentially be turned into remote code execution. The vulnerability has been confirmed on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393) as well as Microsoft Edge 40.15063.0.0 (Microsoft EdgeHTML 15.15063).
50a17f878e4cb540b01d5045a6e10dff2e139109eb14511dd0fda4dc068c0013ACG (Arbitrary Code Guard) in Microsoft Edge is bypassable. The bypass has been tested on Microsoft Edge 40.15063.0.0 running on Windows 10 Enterprise 64-bit with Creators Update (Version 1703, OS build 15063.413).
be1f44546390cca193ef1aff01a301005ed93d7d18025eb795e529774e3bd275The Microsoft Chakra JIT server suffers from an out-of-bounds write when processing a Js::OpCode::ProfiledLoopStart opcode.
387a94a74877e5ae454670d88bca2108bf8b2e2ad1eedbea3c88071c8f4cfb35The Microsoft Chakra JIT server suffers from an integer overflow in IRBuilder::Build.
6639f5e0c1bdd2f5bed8084c2cf405fcb0a5da8cf37e3dda8f8472c91bcd2d16
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed