There is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.
f62d6b1e08f80d9d1673d2fc9b2eeec824adb1729417fe99c60cc9f5f1203e01There is a heap overflow in Skia when drawing paths with anti-aliasing turned off. This issue can be triggered in both Google Chrome and Mozilla Firefox by rendering a specially crafted SVG image. Proof of concepts included.
3f160181c8497dc4cf1f1145b96c07f641ce5f7ac700a9824ddcbbf59315795bSkia and Firefox suffer from an issue where an integer overflow in SkTDArray can lead to an out-of-bounds write.
80e438c1f1bd3bccf77299b13af9143308a2335912da6260d8598c1f233e7851There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of revision 227958 on OSX.
16307c2a076e6eedaa5e405c5a3f96d724981d8afd372bf9e6385efaff3fb94fMicrosoft Edge suffers from an ACG bypass vulnerability with OpenProcess().
e13730c75ca6f8bb32812eaeb11c4e26810eb2412806aa44f43438d5b226c9b0Microsoft Windows suffers from multiple use-after-free issues in jscript Array methods.
2f7ac558c542879acb965c4c06820f163464ea9dc3f6b7895a15dcadd6bca2f1Microsoft Internet Explorer 11 suffers from a RegExp.lastMatch memory disclosure vulnerability.
d31d4d807418c373074dddb6b109a04ac380f06cff4cdd96d51d28909dfa8524Microsoft IE11 suffers from a use-after-free vulnerability in Js::RegexHelper::RegexReplace.
734a98cbfc15f0c966a37c25c2d8f7d0f898a4d44f03218af7d92ba501bc2d76Microsoft Edge suffers from an ACG bypass using UnmapViewOfFile.
75ecabd99428551cbe1014fc356b85e09fce1ebc3b0a7a93516a607cecbb55caWebKit suffers from a use-after-free vulnerability in detachWrapper.
d17589f8c87f68f43fdc0fdc6baa36cb0aad0bbdbb624cbb94def83e1f56fbfaWebKit suffers from a use-after-free vulnerability in WebCore::FrameView::clientToLayoutViewportPoint.
4fb18455a7824410e8bc9a432a98671261c8e1cd41ff089a645fad3cbe7dc9bdThere is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places).
515090618f71572b31595b0c710c2e74b500c7981760cbca93b60481466fa253There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
deac9cd1e6753834b079b602c10a506a085746a6093d25bcb66aa97015e0c366There is a use-after-free in jscript.dll library that can be exploited in IE11.
532b95f0c945c3c74db85cabef11747d21ad3c48fe54f0e7aa07150204b08455There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
99d64f82c3d7bf075a7abe383e8584579a9d5eb097d044428f5817c78c478888There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors.
d5005d70833db3288d6f3582bebbc45f33bc2b359d5ffcd7ebdfc34a9678b7c2There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors.
2ca8e665341886d4eb124c000b6d3ba9945621bca1bec2303b4938cb4e8e9611Chakra suffers from a CFG bypass by overwriting JavaScript bytecode.
daeedb6b41591772a884afa12e566a242f6e1b0d3ee1312f4e2dfdeff93e89ebCharka suffers from a CFG bypass due to a bug in ServerFreeAllocation.
3d19e7cbedb472d2428edd6222fbd45a4c7b0fc67382167d792c513a4d2719d5Chakra suffers from a CFG bypass with leafInterpreterFrame. Every JavaScript variable in Chakra (except a tagged int) is a pointer. From this pointer, using an arbitrary read, it is possible to follow a chain of pointers and end up with a pointer to the native stack. This allows disclosing the stack location and subsequently overwriting a return address on the stack leading to CFG bypass.
e0fbcd6d6c6068eeac50241aac0d32bd46ce7a53f66113cb469ea260e17d8537WebKit suffers from a use-after-free vulnerability in WebCore::FormSubmission::create.
c2e26605ef8814643236d5f9d97cb4faad8aeb808f52594ca616c0d971826d8aWebKit suffers from a use-after-free vulnerability in WebCore::RenderObject::previousSibling.
8a278fe1a01bed0f7b17ac6fcc4317b1168ac683975a217d23d0e3a903eea3eaWebKit suffers from a use-after-free vulnerability in WebCore::DocumentLoader::frameLoader.
f6596283db934d92384dd48f38e36757c9cab5b6ca671329f22f9f48e1aca7bcWebKit suffers from a use-after-free vulnerability in WebCore::Style::TreeResolver::styleForElement.
ea5990dbcd10f10220871583d7e4a8f64595578bfb2375ec0419820b0ad1e27dWebKit suffers from an out-of-bounds read in WebCore::SVGPatternElement::collectPatternAttributes.
a134d05e2659242ae6b08570b4062d0b03e9ec5b249c75b9adedd8e9d69fdb0a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed