Exploitdb Exploits
3,138 exploits tracked across all sources.
Linux kernel <2.6.25 - Info Disclosure
The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations.
Linux Kernel <2.6.11.5 - Privilege Escalation
The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.
IRIX - Local Buffer Overflow via lpr -C Option
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
Apport <2.17.1 - Privilege Escalation
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).
Red Hat Linux 6.x - Denial of Service via Malformed X Font Server Request
The X font server xfs in Red Hat Linux 6.x allows an attacker to cause a denial of service via a malformed request.
Apache HTTP Server 1.3.x 2.0.35-2.0.64 2.2.0-2.2.19 - Denial of Service via Range Header Overlap
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
Wireless IP Camera (P2P) WIFICAM - Missing Encryption of Sensitive Data via Cleartext UDP Tunnel
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
CVSS 7.5
Wireless IP Camera (P2P) WIFICAM - Insufficiently Protected Credentials via Hardcoded RSA Key
Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.
CVSS 7.5
Wireless IP Camera (P2P) WIFICAM - Unauthenticated RTSP Stream Access via Port 10554
On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.
CVSS 7.5
Wireless IP Camera (P2P) WIFICAM Firmware - Use of Hard-coded Credentials
Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.
CVSS 9.8
Borland InterBase 6.0 - Local Buffer Overflow via INTERBASE Environment Variable
Buffer overflow in Borland InterBase 6.0 allows local users to execute arbitrary code via a long INTERBASE environment variable when calling (1) gds_drop, (2) gds_lock_mgr, or (3) gds_inet_server.
IRIX - Local Buffer Overflow via lpr -C Option
Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.
IBM AIX 5.1.0-5.3.0 - Buffer Overflow via Long Command Line Argument
Buffer overflow in invscout in IBM AIX 5.1.0 through 5.3.0 might allow local users to execute arbitrary code via a long command line argument.
esm.sh < 136.1 - Path Traversal and Arbitrary File Write via X-Zone-Id Header
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories. Version 136.1 contains a patch.
by Byte Reaper
Windows Hyper-V NT Kernel Integration VSP - Elevation of Privilege via Heap-based Buffer Overflow
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
by Milad Karimi (Ex3ptionaL)
CVSS 7.8
ELEX WooCommerce Google Shopping <1.4.3 - SQL Injection
The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
by Byte Reaper
CVSS 4.9
Mbed TLS < 3.6.4 - Use-After-Free in mbedtls_x509_string_to_names()
Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).
by Byte Reaper
CVSS 8.9
Birth Chart Compatibility <2.0 - Info Disclosure
The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
by Byte Reaper
CVSS 5.3
Lantronix Provisioning Manager - RCE
Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed.
by Byte Reaper
CVSS 8.0
Tenda AC20 16.03.08.12 - Command Injection
A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
by Byte Reaper
CVSS 6.3
projectworlds Online Admission System 1.0 - SQL Injection via /adminlogin.php a_id Parameter
A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulation of the argument a_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
by Byte Reaper
CVSS 7.3
pybbs < 6.0.0 - Cross-Site Scripting via Username Parameter in Admin Topic List
A vulnerability was found in atjiu pybbs up to 6.0.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/topic/list. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue.
by Byte Reaper
CVSS 2.4
Tigo Energy's CCA - Command Injection
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
by Byte Reaper
Belkin F9K1009/F9K1010 <2.00.04/2.09 - Hard-coded Credentials
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
by Byte Reaper
CVSS 9.8
lpar2rrd < 8.04 - Authenticated Directory Traversal and Remote Code Execution via File Upload
An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.
by Byte Reaper
CVSS 8.8
By Source