Full Disclosure

Posted by Matteo Beccati on Jan 14======================================================================== Revive Adserver Security Advisory REVIVE-SA-2026-001 ———————————————————————— https://www.revive-adserver.com/security/revive-sa-2026-001 ———————————————————————— Date: 2026-01-14 Risk Level: High Applications affected: Revive…

Posted by Stefan Kanthak via Fulldisclosure on Jan 10Hi @ll, the following is a condensed form of <https://skanthak.hier-im-netz.de/whispers.html#whisper3> and <https://skanthak.hier-im-netz.de/whispers.html#whisper4>. Windows Vista moved the shared start menu from “%ALLUSERSPROFILE%\Start Menu\” to “%ProgramData%\Microsoft\Windows\Start Menu\”, with some shortcuts (*.lnk) “reflected” from the (immutable) component store below %SystemRoot%\WinSxS\ JFTR:…

Posted by Art Manion via Fulldisclosure on Jan 10Hi, CVE IDs *can* be assigned for SaaS or similarly “cloud only” software. For a period of time, there was a restriction that only the provider could make or request such an assignment. But the current CVE rules remove this restriction: 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment. It would have been…

Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the RIOT OS ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer (serial->frame) without verifying that the current write index (serial->framebytes) remains within bounds. An attacker capable of sending crafted serial or…

Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the tapslip6 utility distributed with RIOT OS (and derived from the legacy uIP/Contiki networking tools). The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. Specifically, tapslip6 uses strcpy() and strcat() to concatenate the fixed prefix “/dev/” with a user-supplied device name…

Posted by Ron E on Jan 10A stack-based buffer overflow vulnerability exists in the mcp2200gpio utility due to unsafe use of strcpy() and strcat() when constructing device paths during automatic device discovery. A local attacker can trigger the vulnerability by creating a specially crafted filename under /dev/usb/, resulting in stack memory corruption and a process crash. In non-hardened builds, this may lead to arbitrary code execution. *Root Cause:* The vulnerability…

Posted by Ron E on Jan 10A global buffer overflow vulnerability exists in the TinyOS printfUART implementation used within the ZigBee / IEEE 802.15.4 networking stack. The issue arises from an unsafe custom sprintf() routine that performs unbounded string concatenation using strcat() into a fixed-size global buffer. The global buffer debugbuf, defined with a size of 256 bytes, is used as the destination for formatted output. When a %s format specifier is supplied with a…

Posted by KoreLogic Disclosures via Fulldisclosure on Jan 08KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking Advisory ID: KL-001-2026-001 Publication Date: 2026-01-08 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt 1. Vulnerability Details      Affected Vendor: yintibao      Affected Product: Fun Print Mobile      Affected Version: 6.05.15    …

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 05UPDATE: Following the publication of these vulnerabilities and the subsequent CVE assignments, the CVE identifiers have now been revoked. The vendor (EQS Group) contacted the CVE Program (via a CNA) and disputed the records, stating that the affected product is an exclusively hosted SaaS platform with no customer-managed deployment or versioning. Based on this argument, the CVE Program concluded that CVE assignment is “not a suitable…

Posted by Ron E on Jan 05Panda3D’s egg-mkfont utility contains an uncontrolled format string vulnerability that allows disclosure of stack-resident memory. The -gp (glyph pattern) command-line option allows users to specify a formatting pattern intended for generating glyph texture filenames. This pattern is passed directly as the format string to sprintf() without validation or sanitization. If the supplied pattern contains additional format specifiers beyond the…

Posted by Ron E on Jan 05A stack-based buffer overflow vulnerability exists in the Panda3D egg-mkfont utility due to the use of an unbounded sprintf() call with attacker-controlled input. By supplying an excessively long glyph pattern string via the -gp command-line option, an attacker can trigger a stack buffer overflow, resulting in a deterministic crash of the egg-mkfont process. *Technical Details:* The vulnerability occurs when egg-mkfont constructs output glyph…

Posted by Ron E on Jan 05A memory safety vulnerability exists in the Panda3D deploy-stub executable due to unbounded stack allocation using attacker-controlled input. The issue allows a local attacker to trigger stack exhaustion and subsequent use of uninitialized memory during Python interpreter initialization, resulting in a reliable crash and undefined behavior. The vulnerability is confirmed by MemorySanitizer (MSAN) as a use-of-uninitialized-value originating from…

Posted by Ron E on Jan 05This integer underflow vulnerability enables heap metadata corruption and information disclosure through carefully crafted LMDB dump files. *Impact:* – *Denial of Service*: Immediate crash (confirmed) – *Information Disclosure*: Heap metadata leak via OOB read Root Cause:The readline() function fails to validate that the input line length is non-zero before performing decrement operations, causing integer underflow. An attacker can craft…

Posted by Ron E on Jan 05Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker can exploit this behavior by supplying a crafted or corrupted .bfmemo file—either fully attacker-controlled or derived from a legitimate memo…

Posted by Ron E on Jan 05Bio-Formats contains an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component. The vulnerability is caused by the use of an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files (e.g., XLEF). When a crafted XML file is supplied, the parser allows external entity resolution and external DTD loading, enabling attackers to trigger arbitrary outbound network requests, access…