The Dell Pre-Boot Authentication Driver (PBADRV.sys) contains a vulnerability that can be leveraged to enable an attacker to write arbitrary code. The 'OutputAddress' from the IOCTL call is not validated before it attempts to write to memory. The content of the write is a four-byte hex value that is always greater than that of the kernel base address. Using multiple writes, it may be possible to overwrite the first entry of HalDispatchTable in a way that the entry would point to a user-land address. An attacker need only allocate shellcode at said address and call the ntdll!NtQueryIntervalProfile() function.
4c39d7663202b0e6a4d111b2cedc2d39282bb058581eda40719607e5ea6add5a
Seagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled.
5c61cfee09fbb37a6bafacad5f5ac3b5b476c894b553933c75614523958a3ff4
Red Hat Security Advisory 2015-2670-01 - Apache Commons Collections is a library built upon Java JDK classes by providing new interfaces, implementations and utilities. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
eb6b898028084584c67bd48cffa7bd9d30bffcbbb214bc9cad86b6cca532b017
There is a use-after-free vulnerability in Sound.setTransform. If a transform value is set to an object with valueOf defined, it can free the transform before the values are set.
c1ceaaaa99b552103d65a27ff421a1450a5ae32dd9aa482a6a5ee0d3f1498394
Slackware Security Advisory - New grub packages are available for Slackware 14.1 and -current to fix a security issue.
83725abaa7311856eae58ea3aa43594cf6d9d290076e54a04c4289a9b9b15519
Slackware Security Advisory - New libpng packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
463a099c97a10c82afc5272db79e75f365c7be110e4bba31d43d7cfcc2e05c11
Debian Linux Security Advisory 3426-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, information leak or data loss.
eefa8528c8f76d273a5ac0c5e68a8ee3b0c177db643785311de84b9e1b210774
Ubuntu Security Notice 2845-1 - Dolev Farhi discovered an information disclosure issue in SoS. If the /etc/fstab file contained passwords, the passwords were included in the SoS report. This issue only affected Ubuntu 14.04 LTS. Mateusz Guzik discovered that SoS incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files or gain access to temporary file contents containing sensitive system information. Various other issues were also addressed.
35969627a5eb4d0bc47c9ea660f4346a68543a1d58dbd5d4042313fd0105be85
Avira Registry Cleaner suffers from a local DLL hijacking vulnerability.
25dbcc7db394b17559de2ca3d0756be3cb74f12b5d2bde975cdaeb1e15c10f9d
Easy File Sharing FTP server version 3.6 suffers from a stack buffer overflow vulnerability.
9657a4303ce0c7f923db80806a251e3b34247c64f4f4fdbcee53929e89b64309
PFSense versions 2.2.5 and below suffer from a directory traversal vulnerability.
e9d17907677434b8805f6d8cf50f4060c63207d28f4c41bf95d1debf8bf21932
Samsung's SoftAP WPA2-PSK password generation is weak and can be cracked in a few hours.
d07302b705ff9d90ee5c3f1bd5da6e5f61c13558040cb8ca8a031f9fbc137494
Pinger suffers from a remote code execution vulnerability.
0457b78a351ec4c29e621f12c3e59e1830fe8ae097569311e0d9adbb738d66e0
There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.
1a53857646bf613431067a57c39e68fce010b87e4dc0cc01d200ff2bfadd9beb
There is a use-after-free in MovieClip.startDrag. If a parameter an object with valueOf defined, this method can free the MovieClip, which is then used.
e479fa941ff211a21353dd962d4b4fe88a594a11c11379dd4a855f8d02e16580
There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used.
e936ec48ce119179fb911647dd9431f43776db694735d18ab919a4433fa1ad4c
There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:
217561bd45b3c92552115daee855b258b298674d8c5a5b4f03c0a9d14d073306
There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
7493a0885f46ddf809858c9ad8b0a46b185be83cdcbfa026ae184f5993e961af
There is a use-after-free in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.
e4ff4a515fcc1862e4b29c13c2a15404c86f2cea6d2fa31892a1c1a54d5ba8da
The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.
4fa2435bebe5f4be1d84b27026f8d38e6eabd6157f6c7f69688afb3aa6b813d3
There is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed.
e63876f27dc914022bc2a7ed2d30bcba34c54e4c16104e2d22aad1102cd2ffe5
If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent.
fa786f1b3cea6369a32618396207c3f49ff8358de6197ac6e9ef01f923f571ba
There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used.
4de2d91bb0dbd6bbc048520404458cb628a85da2c406af413c7929cab76e2043
There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
39b8e75529854b070a0167968d45644015d1438839c8c17f23d3530833c4c010
There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used.
84ef1515971853553ba9bdb9a67b2d84ff1c244114ce6d34410b1e7d00c55714