Author: Joe-W

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 08 SEC Consult Vulnerability Lab Security Advisory < 20250908-0 > ======================================================================= title: NFC Card Vulnerability Exploitation Leading to Free Top-Up product: KioSoft “Stored Value” Unattended Payment Solution (Mifare) vulnerable version: Current firmware/hardware as of Q2/2025 fixed version: No version numbers available CVE number:… – Read … Read More “SEC Consult SA-20250908-0 :: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft “Stored Value” Unattended Payment Solution (Mifare)  – Full Disclosure” »

  Posted by Taylor Newsome on Sep 08 *To:* support () mellanox com, networking-support () nvidia com *From:* Taylor Christian Newsome *Date:* August 20, 2025 *Dear Mellanox/NVIDIA Networking Support Team,* I am writing to formally submit the critical firmware parameters for Mellanox PCI Express Host Channel Adapter (HCA) cards, as detailed in the official documentation … Read More “Submission of Critical Firmware Parameters – PCIe HCA Cards  – Full Disclosure” »

  Posted by Ron E on Sep 08 The DjVuLibre document compression library (tested version 3.5.29) is vulnerable to an integer overflow caused by a left shift of a negative signed integer in the IW44EncodeCodec.cpp component. When processing crafted PPM input passed through the c44 utility, negative pixel values are left-shifted in functions such as … Read More “DjVuLibre 3.5.29 IW44EncodeCodec Integer Overflow (Negative Left Shift in IW44Image::Map::Encode)  – Full Disclosure” »

  Posted by Ron E on Sep 08 The DjVuLibre document compression library (tested version 3.5.29) contains multiple instances of unsigned integer overflow in the ZPCodec.cpp component. During arithmetic encoding operations (e.g., zemit, encode_lps, encode_lps_simple, eflush), crafted input can cause arithmetic wraparound (0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability modeling for entropy … Read More “DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding  – Full Disclosure” »

  Posted by Ron E on Sep 08 The ladspa audio filter implementation (libavfilter/af_ladspa.c) in FFmpeg allows unsanitized environment variables to influence dynamic library loading. Specifically, the filter uses getenv(“LADSPA_PATH”) and getenv(“HOME”) when resolving the plugin shared object (.so) name provided through the file option. These values are concatenated into a filesystem path and passed … Read More “FFmpeg 7.0+ LADSPA Filter Arbitrary Shared Object Loading via Unsanitized Environment Variables  – Full Disclosure” »

  Posted by Ron E on Sep 08 A signed integer overflow exists in FFmpeg’s udp.c implementation when parsing the fifo_size option from a user-supplied UDP URL. The overflow occurs during multiplication, which is used to compute the size of the circular receive buffer. This can result in undefined behavior, allocation failures, or potentially memory … Read More “FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)  – Full Disclosure” »

  Posted by Ron E on Sep 08 A vulnerability exists in the FFmpeg UDP protocol implementation ( libavformat/udp.c) where the dscp parameter is parsed from a URI and left-shifted without bounds checking. Supplying a maximum 32-bit signed integer (2147483647) triggers undefined behavior due to a left shift that exceeds the representable range of int. … Read More “FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol  – Full Disclosure” »

  Posted by Ron E on Sep 08 The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when large width and height parameters are supplied. The overflow occurs during buffer size calculations (width * height) leading to incorrect allocation sizes and subsequent memory corruption. An attacker controlling input dimensions can trigger large or invalid … Read More “FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation  – Full Disclosure” »

  Posted by Ron E on Sep 08 FFmpeg invokes function pointers through incorrect type casting, leading to type confusion. UndefinedBehaviorSanitizer logs mismatched signatures in utils.c:528. Crafted inputs can cause UB, misaligned function dispatch, and possible arbitrary code execution depending on platform ABI. (FFmpeg 7.0 – 8.0) *Impact:* – DoS in normal builds. – Potential … Read More “FFmpeg 7.0+ Type Confusion in FFmpeg Function Pointer Calls (libavformat/utils.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 Improper validation in libavutil/avstring.c allows a NULL pointer dereference when processing certain strings in HLS contexts. UBSan reports “applying zero offset to null pointer.” Triggers denial of service (DoS) when FFmpeg processes malicious playlists or malformed URLs. (FFmpeg 7.0 – 8.0) *Impact:* – Consistently crashes the process … Read More “FFmpeg 7.0+ NULL Pointer Dereference in FFmpeg String Handling (avstring.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS demuxer handles segment references. ASan reports access to freed memory inside libavformat/utils.c:528. A crafted .m3u8 could allow remote attackers to achieve denial of service (DoS), information disclosure, or potentially remote code execution depending on heap state. … Read More “FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 The FullBox::get_flags() method retrieves 24-bit flags from the underlying box header. When a malformed box truncates the field, the function still attempts to read three bytes. With insufficient data, this reads past valid memory into uninitialized or out-of-bounds memory. *Root Cause:* – No length validation before reading … Read More “libheif v1.21.0 Out-of-Bounds Read in FullBox::get_flags  – Full Disclosure” »

  Posted by Ron E on Sep 08 Box_hdlr::get_handler_type() (libheif/box.h:487) is called even when the hdlr box has not been properly initialized due to malformed input. This leads to dereferencing a null object pointer. *Root Cause:* – No validation of hdlr box presence before accessing handler fields. *Impact:* – Application crash only (DoS). – No … Read More “libheif v1.21.0 Null Pointer Dereference in Box_hdlr::get_handler_type  – Full Disclosure” »

  Posted by Ron E on Sep 08 During construction of a Track_Visual object, corrupted sequence metadata can leave a std::vector<unsigned> uninitialized. When .empty() is called, it attempts to dereference a null object. *Root Cause:* – Missing input validation when constructing vectors from parsed boxes. *Impact:* – Application crash (DoS). – Not exploitable for code … Read More “libheif v1.21.0 Null Pointer Dereference in std::vector::empty  – Full Disclosure” »

  Posted by Ron E on Sep 08 An integer overflow vulnerability exists in the Y4M input loader (loadY4M in decoder_y4m.cc) of libheif. The loader fails to properly validate the width and height values declared in the Y4M file header. Supplying a crafted .y4m file with extremely large dimensions (e.g., W2147483647 H2147483647) causes integer overflow … Read More “libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation  – Full Disclosure” »

  Posted by Ron E on Sep 08 The vulnerability resides in the constructor Chunk::Chunk ( libheif/sequences/chunk.cc:89). When parsing the Sample Size Box (stsz) of a HEIF sequence track, the code allocates a std::vector<unsigned int> and then appends entries for each sample size. The count used for allocation and iteration is taken directly from the … Read More “libheif v1.21.0 Heap Buffer Overflow in Chunk::Chunk  – Full Disclosure” »

  Posted by Ron E on Sep 08 The Track::init_sample_timing_table logic manages a std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks. With malformed HEIF sequence files, corrupted chunk tables may cause premature destruction of Chunk objects while references remain in the vector. Later accesses via std::__shared_ptr<Chunk>::get() return a dangling pointer. ASan reports these as heap-buffer-overflows because the stale … Read More “libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling  – Full Disclosure” »

  Posted by Ron E on Sep 08 The Box_stts structure defines decoding time to sample mapping. In Box_stts::get_sample_duration(unsigned), the requested index is assumed valid. A crafted file can set entry_count inconsistently with the actual buffer size, leading to access beyond the bounds of the parsed vector. *Root Cause:* – Lack of bounds checks on … Read More “libheif v1.21.0 Out-of-Bounds Read in Box_stts::get_sample_duration  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8 macOS Ventura 13.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/124929. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Ventura Impact: Processing … Read More “APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8  – Full Disclosure” »

  Posted by Seralys Research Team via Fulldisclosure on Sep 08 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated User Creation Product: SpamTitan Email Security Gateway Affected: Confirmed on 8.00.95 Fixed in: 8.00.101 and 8.01.14 Vendor: TitanHQ Discovered: May 2024 Severity: HIGH CWE: CWE-306: Missing Authentication for Critical Function CVE:… – Read More  – Full Disclosure 

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-2 iPadOS 17.7.10 iPadOS 17.7.10 addresses the following issues. Information about the security content is also available at https://support.apple.com/124926. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: iPad Pro 12.9-inch 2nd generation, iPad … Read More “APPLE-SA-08-20-2025-2 iPadOS 17.7.10  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1 macOS Sequoia 15.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/124927. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Sequoia Impact: Processing … Read More “APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8 macOS Sonoma 14.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/124928. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Sonoma Impact: Processing … Read More “APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8  – Full Disclosure” »

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 22.5.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/22.5.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 22.5.2 ## Change Log for Release asterisk-22.5.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Andrey Stoykov on Sep 08 # Exploit Title: Host Header Injection – silverstripecmsv6.0.0 # Date: 08/2025 # Exploit Author: Andrey Stoykov # Version: 6.0.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-39-host.html Host Header Injection #1: Steps to Reproduce: – Login and change the Host header to Burp Collab domain – Upon … Read More “Host Header Injection – silverstripecmsv6.0.0  – Full Disclosure” »

  Posted by Andrey Stoykov on Sep 08 # Exploit Title: [Vuln] – silverstripecmsv6.0.0 # Date: 08/2025 # Exploit Author: Andrey Stoykov # Version: 6.0.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-40-csv.html CSV Injection #1: Steps to Reproduce: – Login and visit “Security” > “Add Member” > “First Name” and enter payload of =30*30 … Read More “CSV Injection – silverstripecmsv6.0.0  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-1 iOS 18.6.2 and iPadOS 18.6.2 iOS 18.6.2 and iPadOS 18.6.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/124925. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: … Read More “APPLE-SA-08-20-2025-1 iOS 18.6.2 and iPadOS 18.6.2  – Full Disclosure” »

  Posted by George Joseph via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert17. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert17 and https://downloads.asterisk.org/pub/telephony/certified-asterisk Repository: https://github.com/asterisk/asterisk Tag: certified-18.9-cert17 ## Change Log for Release asterisk-certified-18.9-cert17 ###… – Read More  – Full Disclosure 

  Posted by josephgoyd via Fulldisclosure on Sep 08 Improper Input Validation in Siri Shortcuts and Shared Web Credentials Enables Persistent Background Execution, Retry Storms, and Sandbox Extension Abuse Date Discovered: August 20, 2025 Discovered By: Joseph Goydish II Affected: – iOS/macOS versions supporting Siri Shortcuts + Shared Web Credentials (SWC) – Confirmed on iPhone … Read More “(iOS 18.6.2) Improper Input Validation in Siri Shortcuts and Shared Web Credentials  – Full Disclosure” »

  Posted by josephgoyd via Fulldisclosure on Sep 08 [Zero-Day] AppleMediaServices Fail-Open Auth Bypass (All Platforms) Overview: A criticalzero-dayvulnerability in AppleMediaServices (AMS) affects all Apple platforms — iOS, macOS, tvOS, and watchOS. When AMS fails to fetch its remote “Bag” config file, it disables Mescal and Absinthe request signingwithout warning, falling back to unsigned, unauthenticated … Read More “[Zero-Day] AppleMediaServices Fail-Open Auth Bypass (All Platforms)  – Full Disclosure” »

  Posted by Joseph Goydish II via Fulldisclosure on Sep 08 TITLE: APPLE’S A17 PRO SILICON FLAW: SHARED I²C4 BUS BETWEEN SECURE ENCLAVE AND DIGITIZER CAUSES CASCADING SYSTEM FAILURE SUMMARY: This report discloses a CRITICAL HARDWARE FLAW in Apple’s A17 Pro chip (D84AP), affecting retail iPhone 15 Pro Max devices. The flaw results from a … Read More “Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss  – Full Disclosure” »

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 18.26.4. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/18.26.4 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 18.26.4 ## Change Log for Release asterisk-18.26.4 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 21.10.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/21.10.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 21.10.2 ## Change Log for Release asterisk-21.10.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 20.15.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/20.15.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 20.15.2 ## Change Log for Release asterisk-20.15.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure