Harry Sintonen

8 exploits Active since Feb 2011
CVE-2021-22898 WRITEUP LOW WRITEUP
curl <7.76.1 - Info Disclosure
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
CVSS 3.1
CVE-2021-22901 WRITEUP HIGH WRITEUP
curl <7.76.2 - Use After Free
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
CVSS 8.1
CVE-2017-6360 EXPLOITDB CRITICAL text WORKING POC
Qnap Qts < 4.2.4 - OS Command Injection
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
CVSS 9.8
CVE-2017-6359 EXPLOITDB CRITICAL text WORKING POC
Qnap Qts < 4.2.4 - OS Command Injection
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors.
CVSS 9.8
CVE-2019-6111 EXPLOITDB MEDIUM python WORKING POC
Openbsd Openssh < 7.9 - Path Traversal
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
CVSS 5.9
CVE-2011-0522 EXPLOITDB text WORKING POC
Videolan Vlc Media Player - Memory Corruption
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "<" without a closing ">" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
CVE-2018-0494 EXPLOITDB MEDIUM text WRITEUP
GNU Wget < 1.19.5 - Improper Input Validation
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequence in a continuation line.
CVSS 6.5
CVE-2017-6361 EXPLOITDB CRITICAL text WORKING POC
Qnap Qts < 4.2.4 - OS Command Injection
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
CVSS 9.8