Writeup Exploits

62,702 exploits tracked across all sources.

Sort: Activity Stars
CVE-2014-1471 WRITEUP
OTRS 3.1.x-3.1.18, 3.2.x-3.2.13, 3.3.x-3.3.3 - SQL Injection via Ticket Search URL
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
CVE-2014-1691 WRITEUP
Horde Application Framework < 5.1.1 - Remote Code Execution via Serialized Object in _formvars
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
CVE-2014-1694 WRITEUP
OTRS 3.1.x < 3.1.19, 3.2.x < 3.2.14, 3.3.x < 3.3.4 - Cross-Site Request Forgery in Customer Ticket Modules
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.
CVE-2014-1739 WRITEUP
Linux kernel <3.14.6 - Info Disclosure
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
CVE-2014-1836 WRITEUP
ImpressCMS < 1.3.6 - Path Traversal and Arbitrary File Deletion via Image Path Parameter
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.
CVE-2014-1849 WRITEUP
Foscam IP Camera Firmware - Predictable Credential Generation in DynDNS Feature
Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which allows remote attackers to spoof or hijack arbitrary cameras and conduct other attacks by modifying arbitrary camera records in the Foscam DNS server.
CVE-2014-1858 WRITEUP MEDIUM
NumPy < 1.8.1 - Arbitrary File Write via Symlink Attack on Temporary File
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file.
CVSS 5.5
CVE-2014-1859 WRITEUP MEDIUM
NumPy < 1.8.1 - Arbitrary File Write via Symlink Attack on Temporary Files
(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file.
CVSS 5.5
CVE-2014-1903 WRITEUP
FreePBX <2.9.0.14, <2.10.1.15, <2.11.0.23, <12.0.1alpha22 - RCE
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
CVE-2014-1944 WRITEUP
ilch_cms < 2.0 - Cross-Site Scripting via Guestbook Text Parameter
Cross-site scripting (XSS) vulnerability in Ilch CMS 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the text parameter to index.php/guestbook/index/newentry.
CVE-2014-2064 WRITEUP
Jenkins <1.551, <1.532.2 - Info Disclosure
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.
CVE-2014-2236 WRITEUP
askbot < 0.7.49 - Cross-Site Scripting via Tag or User Search Forms
Multiple cross-site scripting (XSS) vulnerabilities in Askbot before 0.7.49 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) tag or (2) user search forms.
CVE-2014-2383 WRITEUP
dompdf < 0.6.1 - Arbitrary File Read via PHP Wrapper in input_file Parameter
dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.
CVE-2014-2734 WRITEUP
Ruby 2.x - Signature Spoofing via OpenSSL Extension Memory State
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher
CVE-2014-2734 WRITEUP
Ruby 2.x - Signature Spoofing via OpenSSL Extension Memory State
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher
CVE-2014-2734 WRITEUP
Ruby 2.x - Signature Spoofing via OpenSSL Extension Memory State
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher
CVE-2014-2922 WRITEUP
pimcore 1.4.9-2.1.0 - PHP Object Injection and Arbitrary File Deletion via Newsletter Token Deserialization
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injection attacks and delete arbitrary files via vectors involving a Zend_Http_Response_Stream object.
CVE-2014-3008 WRITEUP
Unitrends Enterprise Backup 7.3.0 - Authenticated OS Command Injection via SNMPD Comm Parameter
Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to recoveryconsole/bpl/snmpd.php.
CVE-2014-3119 WRITEUP HIGH
web2project < 3.1 - Authenticated SQL Injection via Search String or Update Key Parameter
Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php.
CVSS 8.8
CVE-2014-3139 WRITEUP
Unitrends Enterprise Backup 7.3.0 - Unauthenticated Authentication Bypass via SNMPD Auth Parameter
recoveryconsole/bpl/snmpd.php in Unitrends Enterprise Backup 7.3.0 allows remote attackers to bypass authentication by setting the auth parameter to a certain string.
CVE-2014-3153 WRITEUP HIGH
Linux Kernel <=3.14.5 - Privilege Escalation
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
CVSS 7.8
CVE-2014-3220 WRITEUP
F5 BIG-IQ Cloud and Security 4.0.0-4.1.0 - Authenticated Arbitrary Password Change via User Name Parameter
F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/.
CVE-2014-3418 WRITEUP
Infoblox NetMRI < 6.8.5 - OS Command Injection via skipjackUsername Parameter
config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter.
CVE-2014-3488 WRITEUP
Netty < 3.9.2 - Denial of Service via SSLv2Hello Message
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CVE-2014-3538 WRITEUP
file < 5.19 - Denial of Service via Regex Backtracking in AWK Rule Processing
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.