[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 443    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

WebKitGTK+ Code Execution / Cookie Handling / Memory Corruption Vulnerabilities

Author
WebKitGTK+ Team
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-28824
Category
remote exploits
Date add
19-10-2017
CVE
CVE-2017-7081
CVE-2017-7087
CVE-2017-7089
CVE-2017-7090
CVE-2017-7091
CVE-2017-7092
CVE-2017-7093
CVE-2017-7094
CVE-2017-7095
CVE-2017-7096
CVE-2017-7098
CVE-2017-7099
CVE-2017-7100
CVE-2017-7102
CVE-2017-7104
CVE-2017-7107
CVE-2017-7109
Platform
multiple
------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               
------------------------------------------------------------------------

Date reported      : October 18, 2017
Advisory ID        : WSA-2017-0008
Advisory URL       : https://webkitgtk.org/security/WSA-2017-0008.html
CVE identifiers    : CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,
                     CVE-2017-7090, CVE-2017-7091, CVE-2017-7092,
                     CVE-2017-7093, CVE-2017-7094, CVE-2017-7095,
                     CVE-2017-7096, CVE-2017-7098, CVE-2017-7099,
                     CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,
                     CVE-2017-7107, CVE-2017-7109, CVE-2017-7111,
                     CVE-2017-7117, CVE-2017-7120, CVE-2017-7142.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-7081
    Versions affected: WebKitGTK+ before 2.16.1.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed through improved input validation.

CVE-2017-7087
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7089
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Anton Lopanitsyn of ONSEC, Frans RosA(c)n of Detectify.
    Impact: Processing maliciously crafted web content may lead to
    universal cross site scripting. Description: A logic issue existed
    in the handling of the parent-tab. This issue was addressed with
    improved state management.

CVE-2017-7090
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Apple.
    Impact: Cookies belonging to one origin may be sent to another
    origin. Description: A permissions issue existed in the handling of
    web browser cookies. This issue was addressed by no longer returning
    cookies for custom URL schemes.

CVE-2017-7091
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Wei Yuan of Baidu Security Lab working with Trend Microas
    Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7092
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel
    Gro and Niklas Baumstark working with Trend Micro's Zero Day
    Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7093
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Samuel Gro and Niklas Baumstark working with Trend Microas
    Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7094
    Versions affected: WebKitGTK+ before 2.16.3.
    Credit to Tim Michaud (@TimGMichaud) of Leviathan Security Group.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7095
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
    Technological University working with Trend Microas Zero Day
    Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7096
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Wei Yuan of Baidu Security Lab.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7098
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Felipe Freitas of Instituto TecnolA3gico de AeronA!utica.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7099
    Versions affected: WebKitGTK+ before 2.16.4.
    Credit to Apple.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7100
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Masato Kinugawa and Mario Heiderich of Cure53.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7102
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
    Technological University.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7104
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to likemeng of Baidu Secutity Lab.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7107
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang
    Technological University.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7109
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to avlidienbrunn.
    Impact: Processing maliciously crafted web content may lead to a
    cross site scripting attack. Description: Application Cache policy
    may be unexpectedly applied.

CVE-2017-7111
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to likemeng of Baidu Security Lab (xlab.baidu.com) working
    with Trend Micro's Zero Day Initiative.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7117
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to lokihardt of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7120
    Versions affected: WebKitGTK+ before 2.18.0.
    Credit to chenqin (ee|) of Ant-financial Light-Year Security Lab.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2017-7142
    Versions affected: WebKitGTK+ before 2.16.1.
    Credit to an anonymous researcher.
    Impact: Website data may persist after a Safari Private browsing
    session. Description: An information leakage issue existed in the
    handling of website data in Safari Private windows. This issue was
    addressed with improved data handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
October 18, 2017

#  0day.today [2024-06-28]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team