Category: Alert Feeds

  Posted by Ron E on Sep 15 An integer overflow vulnerability exists in the LZX decompression routines of CHMLib (tested in version 0.40, latest release as of 2025). The issue occurs within lzx.c during bitstream parsing (lzx_read_lens and LZXdecompress), where crafted CHM files can supply values that cause left-shift operations to exceed the representable … Read More “CHMLIB 0.40a Integer Overflow in LZX Decompression of CHMLib  – Full Disclosure” »

  Posted by Ron E on Sep 15 A vulnerability exists in CHMLib (latest release 0.40) when parsing malformed CHM (Compiled HTML Help) files. The functions _unmarshal_int32 and _unmarshal_uint32 reconstruct 32-bit values using left shifts on signed integers without proper type casting: *dest = (*pData)[0] | (*pData)[1]<<8 | (*pData)[2]<<16 | (*pData)[3]<<24; If an attacker supplies … Read More “CHMLib 0.40a Integer Overflow in _unmarshal_int32 / _unmarshal_uint32 During CHM Header Parsing  – Full Disclosure” »

  Posted by Ron E on Sep 15 libwmf is vulnerable to an integer overflow / undefined behavior condition in multiple code paths. The affected source files (wmf.c, fig.c, svg.c) use left-shift operations on signed integers that shift into the sign bit (e.g., 1 << 31). According to the C standard, shifting a signed integer … Read More “libwmf v0.2.13 Integer Overflow in libwmf Left-Shift Operations (wmf.c, fig.c, svg.c)  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-1 iOS 26 and iPadOS 26 iOS 26 and iPadOS 26 addresses the following issues. Information about the security content is also available at https://support.apple.com/125108. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Apple Neural Engine … Read More “APPLE-SA-09-15-2025-1 iOS 26 and iPadOS 26  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-2 iOS 18.7 and iPadOS 18.7 iOS 18.7 and iPadOS 18.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/125109. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Audio Available for: … Read More “APPLE-SA-09-15-2025-2 iOS 18.7 and iPadOS 18.7  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-3 iOS 16.7.12 and iPadOS 16.7.12 iOS 16.7.12 and iPadOS 16.7.12 addresses the following issues. Information about the security content is also available at https://support.apple.com/125141. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: … Read More “APPLE-SA-09-15-2025-3 iOS 16.7.12 and iPadOS 16.7.12  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-4 iOS 15.8.5 and iPadOS 15.8.5 iOS 15.8.5 and iPadOS 15.8.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/125142. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: … Read More “APPLE-SA-09-15-2025-4 iOS 15.8.5 and iPadOS 15.8.5  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-5 macOS Tahoe 26 macOS Tahoe 26 addresses the following issues. Information about the security content is also available at https://support.apple.com/125110. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Airport Available for: Mac Studio (2022 and … Read More “APPLE-SA-09-15-2025-5 macOS Tahoe 26  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 15 APPLE-SA-09-15-2025-6 macOS Sequoia 15.7 macOS Sequoia 15.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/125111. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. AMD Available for: macOS Sequoia Impact: An … Read More “APPLE-SA-09-15-2025-6 macOS Sequoia 15.7  – Full Disclosure” »

  Posted by Matthew Fernandez on Sep 10 Can you elaborate on why you consider this high severity? From the description, it sounds as if this behaviour is fail-closed. That is, the effects are limited to DoS, with security properties preserved. – Read More  – Full Disclosure 

  Posted by naphthalin via Fulldisclosure on Sep 10 “I know where your children go to school.” The web front end of the IServ school server from IServ GmbH allows user enumeration. Responses during failed login attempts differ, depending on if the user account exists, does not exist and other conditions. While this does not … Read More “User Enumeration in IServ Schoolserver Web Login  – Full Disclosure” »

  Posted by Taylor Newsome on Sep 08 Reporter: [Taylor Christian Newsome / SleepRaps () gmail com] Date: [8/21/2025] Target: Discord WebRTC / Voice Gateway API Severity: Critical 1. Executive Summary A proof-of-concept (PersistentRTC) demonstrates remote code execution (RCE) capability against Discord users. The PoC enables Arbitrary JavaScript execution in a victim’s browser context via … Read More “Critical Security Report – Remote Code Execution via Persistent Discord WebRTC Automation  – Full Disclosure” »

  Posted by Stefan Kanthak via Fulldisclosure on Sep 08 Hi @ll, this extends the two previous posts titled Defense in depth — the Microsoft way (part 90): “Digital Signature” property sheet missing without “Read Extended Attributes” access permission <https://seclists.org/fulldisclosure/2025/Jul/39> and Defense in depth — the Microsoft way (part 91): yet another 30 year old … Read More “Defense in depth — the Microsoft way (part 92): more stupid blunders of Windows’ File Explorer  – Full Disclosure” »

  Posted by Ron E on Sep 08 An integer overflow vulnerability exists in the FFmpeg cache: URL protocol implementation. The CacheEntry structure uses a 32-bit signed integer to store cache entry sizes (int size), but the cache layer can accumulate cached data exceeding 2 GB. Once entry->size grows beyond INT_MAX and new data is … Read More “FFmpeg 7.0+ Integer Overflow in FFmpeg cache: Protocol (CacheEntry::size)  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Sep 08 SEC Consult Vulnerability Lab Security Advisory < 20250908-0 > ======================================================================= title: NFC Card Vulnerability Exploitation Leading to Free Top-Up product: KioSoft “Stored Value” Unattended Payment Solution (Mifare) vulnerable version: Current firmware/hardware as of Q2/2025 fixed version: No version numbers available CVE number:… – Read … Read More “SEC Consult SA-20250908-0 :: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft “Stored Value” Unattended Payment Solution (Mifare)  – Full Disclosure” »

  Posted by Taylor Newsome on Sep 08 *To:* support () mellanox com, networking-support () nvidia com *From:* Taylor Christian Newsome *Date:* August 20, 2025 *Dear Mellanox/NVIDIA Networking Support Team,* I am writing to formally submit the critical firmware parameters for Mellanox PCI Express Host Channel Adapter (HCA) cards, as detailed in the official documentation … Read More “Submission of Critical Firmware Parameters – PCIe HCA Cards  – Full Disclosure” »

  Posted by Ron E on Sep 08 The DjVuLibre document compression library (tested version 3.5.29) is vulnerable to an integer overflow caused by a left shift of a negative signed integer in the IW44EncodeCodec.cpp component. When processing crafted PPM input passed through the c44 utility, negative pixel values are left-shifted in functions such as … Read More “DjVuLibre 3.5.29 IW44EncodeCodec Integer Overflow (Negative Left Shift in IW44Image::Map::Encode)  – Full Disclosure” »

  Posted by Ron E on Sep 08 The DjVuLibre document compression library (tested version 3.5.29) contains multiple instances of unsigned integer overflow in the ZPCodec.cpp component. During arithmetic encoding operations (e.g., zemit, encode_lps, encode_lps_simple, eflush), crafted input can cause arithmetic wraparound (0-1, 1-2, or value+UINT_MAX). These operations rely on precise probability modeling for entropy … Read More “DjVuLibre 3.5.29 ZPCodec Unsigned Integer Overflow in Arithmetic Encoding  – Full Disclosure” »

  Posted by Ron E on Sep 08 The ladspa audio filter implementation (libavfilter/af_ladspa.c) in FFmpeg allows unsanitized environment variables to influence dynamic library loading. Specifically, the filter uses getenv(“LADSPA_PATH”) and getenv(“HOME”) when resolving the plugin shared object (.so) name provided through the file option. These values are concatenated into a filesystem path and passed … Read More “FFmpeg 7.0+ LADSPA Filter Arbitrary Shared Object Loading via Unsanitized Environment Variables  – Full Disclosure” »

  Posted by Ron E on Sep 08 A signed integer overflow exists in FFmpeg’s udp.c implementation when parsing the fifo_size option from a user-supplied UDP URL. The overflow occurs during multiplication, which is used to compute the size of the circular receive buffer. This can result in undefined behavior, allocation failures, or potentially memory … Read More “FFmpeg 7.0+ Integer Overflow in UDP Protocol Handler (fifo_size option)  – Full Disclosure” »

  Posted by Ron E on Sep 08 A vulnerability exists in the FFmpeg UDP protocol implementation ( libavformat/udp.c) where the dscp parameter is parsed from a URI and left-shifted without bounds checking. Supplying a maximum 32-bit signed integer (2147483647) triggers undefined behavior due to a left shift that exceeds the representable range of int. … Read More “FFmpeg 7.0+ Integer Overflow in DSCP Option Handling of FFmpeg UDP Protocol  – Full Disclosure” »

  Posted by Ron E on Sep 08 The FFmpeg tools/yuvcmp utility is vulnerable to an integer overflow when large width and height parameters are supplied. The overflow occurs during buffer size calculations (width * height) leading to incorrect allocation sizes and subsequent memory corruption. An attacker controlling input dimensions can trigger large or invalid … Read More “FFmpeg 7.0+ Integer Overflow in FFmpeg yuvcmp Tool Leads to Out-of-Bounds Allocation  – Full Disclosure” »

  Posted by Ron E on Sep 08 FFmpeg invokes function pointers through incorrect type casting, leading to type confusion. UndefinedBehaviorSanitizer logs mismatched signatures in utils.c:528. Crafted inputs can cause UB, misaligned function dispatch, and possible arbitrary code execution depending on platform ABI. (FFmpeg 7.0 – 8.0) *Impact:* – DoS in normal builds. – Potential … Read More “FFmpeg 7.0+ Type Confusion in FFmpeg Function Pointer Calls (libavformat/utils.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 Improper validation in libavutil/avstring.c allows a NULL pointer dereference when processing certain strings in HLS contexts. UBSan reports “applying zero offset to null pointer.” Triggers denial of service (DoS) when FFmpeg processes malicious playlists or malformed URLs. (FFmpeg 7.0 – 8.0) *Impact:* – Consistently crashes the process … Read More “FFmpeg 7.0+ NULL Pointer Dereference in FFmpeg String Handling (avstring.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 Malformed .m3u8 playlists can trigger a heap use-after-free when the HLS demuxer handles segment references. ASan reports access to freed memory inside libavformat/utils.c:528. A crafted .m3u8 could allow remote attackers to achieve denial of service (DoS), information disclosure, or potentially remote code execution depending on heap state. … Read More “FFmpeg 7.0+ Heap Use-After-Free in FFmpeg HLS Demuxer (libavformat/utils.c)  – Full Disclosure” »

  Posted by Ron E on Sep 08 The FullBox::get_flags() method retrieves 24-bit flags from the underlying box header. When a malformed box truncates the field, the function still attempts to read three bytes. With insufficient data, this reads past valid memory into uninitialized or out-of-bounds memory. *Root Cause:* – No length validation before reading … Read More “libheif v1.21.0 Out-of-Bounds Read in FullBox::get_flags  – Full Disclosure” »

  Posted by Ron E on Sep 08 Box_hdlr::get_handler_type() (libheif/box.h:487) is called even when the hdlr box has not been properly initialized due to malformed input. This leads to dereferencing a null object pointer. *Root Cause:* – No validation of hdlr box presence before accessing handler fields. *Impact:* – Application crash only (DoS). – No … Read More “libheif v1.21.0 Null Pointer Dereference in Box_hdlr::get_handler_type  – Full Disclosure” »

  Posted by Ron E on Sep 08 During construction of a Track_Visual object, corrupted sequence metadata can leave a std::vector<unsigned> uninitialized. When .empty() is called, it attempts to dereference a null object. *Root Cause:* – Missing input validation when constructing vectors from parsed boxes. *Impact:* – Application crash (DoS). – Not exploitable for code … Read More “libheif v1.21.0 Null Pointer Dereference in std::vector::empty  – Full Disclosure” »

  Posted by Ron E on Sep 08 An integer overflow vulnerability exists in the Y4M input loader (loadY4M in decoder_y4m.cc) of libheif. The loader fails to properly validate the width and height values declared in the Y4M file header. Supplying a crafted .y4m file with extremely large dimensions (e.g., W2147483647 H2147483647) causes integer overflow … Read More “libheif v1.21.0 Integer Overflow in Y4M Loader leading to Uncontrolled Memory Allocation  – Full Disclosure” »

  Posted by Ron E on Sep 08 The vulnerability resides in the constructor Chunk::Chunk ( libheif/sequences/chunk.cc:89). When parsing the Sample Size Box (stsz) of a HEIF sequence track, the code allocates a std::vector<unsigned int> and then appends entries for each sample size. The count used for allocation and iteration is taken directly from the … Read More “libheif v1.21.0 Heap Buffer Overflow in Chunk::Chunk  – Full Disclosure” »

  Posted by Ron E on Sep 08 The Track::init_sample_timing_table logic manages a std::vector<std::shared_ptr<Chunk>> representing parsed sequence chunks. With malformed HEIF sequence files, corrupted chunk tables may cause premature destruction of Chunk objects while references remain in the vector. Later accesses via std::__shared_ptr<Chunk>::get() return a dangling pointer. ASan reports these as heap-buffer-overflows because the stale … Read More “libheif 1.21.0 Use-After-Free / Dangling shared_ptr in Track Chunk Handling  – Full Disclosure” »

  Posted by Ron E on Sep 08 The Box_stts structure defines decoding time to sample mapping. In Box_stts::get_sample_duration(unsigned), the requested index is assumed valid. A crafted file can set entry_count inconsistently with the actual buffer size, leading to access beyond the bounds of the parsed vector. *Root Cause:* – Lack of bounds checks on … Read More “libheif v1.21.0 Out-of-Bounds Read in Box_stts::get_sample_duration  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8 macOS Ventura 13.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/124929. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Ventura Impact: Processing … Read More “APPLE-SA-08-20-2025-5 macOS Ventura 13.7.8  – Full Disclosure” »

  Posted by Seralys Research Team via Fulldisclosure on Sep 08 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated User Creation Product: SpamTitan Email Security Gateway Affected: Confirmed on 8.00.95 Fixed in: 8.00.101 and 8.01.14 Vendor: TitanHQ Discovered: May 2024 Severity: HIGH CWE: CWE-306: Missing Authentication for Critical Function CVE:… – Read More  – Full Disclosure 

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-2 iPadOS 17.7.10 iPadOS 17.7.10 addresses the following issues. Information about the security content is also available at https://support.apple.com/124926. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: iPad Pro 12.9-inch 2nd generation, iPad … Read More “APPLE-SA-08-20-2025-2 iPadOS 17.7.10  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1 macOS Sequoia 15.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/124927. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Sequoia Impact: Processing … Read More “APPLE-SA-08-20-2025-3 macOS Sequoia 15.6.1  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8 macOS Sonoma 14.7.8 addresses the following issues. Information about the security content is also available at https://support.apple.com/124928. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: macOS Sonoma Impact: Processing … Read More “APPLE-SA-08-20-2025-4 macOS Sonoma 14.7.8  – Full Disclosure” »

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 22.5.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/22.5.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 22.5.2 ## Change Log for Release asterisk-22.5.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Andrey Stoykov on Sep 08 # Exploit Title: Host Header Injection – silverstripecmsv6.0.0 # Date: 08/2025 # Exploit Author: Andrey Stoykov # Version: 6.0.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-39-host.html Host Header Injection #1: Steps to Reproduce: – Login and change the Host header to Burp Collab domain – Upon … Read More “Host Header Injection – silverstripecmsv6.0.0  – Full Disclosure” »

  Posted by Andrey Stoykov on Sep 08 # Exploit Title: [Vuln] – silverstripecmsv6.0.0 # Date: 08/2025 # Exploit Author: Andrey Stoykov # Version: 6.0.0 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/08/friday-fun-pentest-series-40-csv.html CSV Injection #1: Steps to Reproduce: – Login and visit “Security” > “Add Member” > “First Name” and enter payload of =30*30 … Read More “CSV Injection – silverstripecmsv6.0.0  – Full Disclosure” »

  Posted by Apple Product Security via Fulldisclosure on Sep 08 APPLE-SA-08-20-2025-1 iOS 18.6.2 and iPadOS 18.6.2 iOS 18.6.2 and iPadOS 18.6.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/124925. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. ImageIO Available for: … Read More “APPLE-SA-08-20-2025-1 iOS 18.6.2 and iPadOS 18.6.2  – Full Disclosure” »

  Posted by George Joseph via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Certified Asterisk 18.9-cert17. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/certified-18.9-cert17 and https://downloads.asterisk.org/pub/telephony/certified-asterisk Repository: https://github.com/asterisk/asterisk Tag: certified-18.9-cert17 ## Change Log for Release asterisk-certified-18.9-cert17 ###… – Read More  – Full Disclosure 

  Posted by josephgoyd via Fulldisclosure on Sep 08 Improper Input Validation in Siri Shortcuts and Shared Web Credentials Enables Persistent Background Execution, Retry Storms, and Sandbox Extension Abuse Date Discovered: August 20, 2025 Discovered By: Joseph Goydish II Affected: – iOS/macOS versions supporting Siri Shortcuts + Shared Web Credentials (SWC) – Confirmed on iPhone … Read More “(iOS 18.6.2) Improper Input Validation in Siri Shortcuts and Shared Web Credentials  – Full Disclosure” »

  Posted by josephgoyd via Fulldisclosure on Sep 08 [Zero-Day] AppleMediaServices Fail-Open Auth Bypass (All Platforms) Overview: A criticalzero-dayvulnerability in AppleMediaServices (AMS) affects all Apple platforms — iOS, macOS, tvOS, and watchOS. When AMS fails to fetch its remote “Bag” config file, it disables Mescal and Absinthe request signingwithout warning, falling back to unsigned, unauthenticated … Read More “[Zero-Day] AppleMediaServices Fail-Open Auth Bypass (All Platforms)  – Full Disclosure” »

  Posted by Joseph Goydish II via Fulldisclosure on Sep 08 TITLE: APPLE’S A17 PRO SILICON FLAW: SHARED I²C4 BUS BETWEEN SECURE ENCLAVE AND DIGITIZER CAUSES CASCADING SYSTEM FAILURE SUMMARY: This report discloses a CRITICAL HARDWARE FLAW in Apple’s A17 Pro chip (D84AP), affecting retail iPhone 15 Pro Max devices. The flaw results from a … Read More “Apple’s A17 Pro Chip: Critical Flaw Causes Dual Subsystem Failure & Forensic Log Loss  – Full Disclosure” »

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 18.26.4. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/18.26.4 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 18.26.4 ## Change Log for Release asterisk-18.26.4 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 21.10.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/21.10.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 21.10.2 ## Change Log for Release asterisk-21.10.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Asterisk Development Team via Fulldisclosure on Sep 08 The Asterisk Development Team would like to announce security release Asterisk 20.15.2. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/20.15.2 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 20.15.2 ## Change Log for Release asterisk-20.15.2 ### Links: – [Full ChangeLog](… – Read More  – Full Disclosure 

  Posted by Ron E on Aug 18 nopCommerce is vulnerable to Insufficient Resource Allocation Limits when handling large Excel file imports. Although the application provides a warning message recommending that users avoid importing more than 500–1,000 records at once due to memory constraints, the system does not enforce hard limits on file size, record … Read More “Insufficient Resource Allocation Limits in nopCommerce v4.10 and v4.80.3 Excel Import Functionality  – Full Disclosure” »

  Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Aug 18 Confidentiality class: Internal & Partner SEC Consult Vulnerability Lab Security Advisory < publishing date 20250807-0 > ======================================================================= title: Race Condition in Shopware Voucher Submission product: Shopware 6 vulnerable version: v6.6.10.4 fixed version: No fixed version available yet CVE number: CVE-2025-7954 impact: medium… – Read … Read More “SEC Consult SA-20250807-0 :: Race Condition in Shopware Voucher Submission  – Full Disclosure” »