Writeup Exploits

62,769 exploits tracked across all sources.

Sort: Activity Stars
CVE-2015-3159 WRITEUP HIGH
Automatic Bug Reporting Tool - Privilege Escalation via Environment Variable Handling
The abrt-action-install-debuginfo-to-abrt-cache help program in Automatic Bug Reporting Tool (ABRT) does not properly handle the process environment before invoking abrt-action-install-debuginfo, which allows local users to gain privileges.
CVSS 7.8
CVE-2015-3183 WRITEUP
Apache HTTP Server 2.2.0-2.2.30 - HTTP Request Smuggling via Chunked Transfer Coding
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
CVE-2015-3185 WRITEUP
Apache HTTP Server <2.4.14 - Auth Bypass
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
CVE-2015-3202 WRITEUP
FUSE <2.9.3-15 - Local Privilege Escalation
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.
CVE-2015-3214 WRITEUP
Linux kernel <2.6.33 & QEMU <2.3.1 - Use After Free
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
CVE-2015-3215 WRITEUP HIGH
virtio-win - Denial of Service via Crafted IP Packet Length
The NetKVM Windows Virtio driver allows remote attackers to cause a denial of service (guest crash) via a crafted length value in an IP packet, as demonstrated by a value that does not account for the size of the IP options.
CVSS 7.5
CVE-2015-3290 WRITEUP
Linux kernel <4.1.6 - Privilege Escalation
arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.
CVE-2015-3315 WRITEUP HIGH
ABRT raceabrt Privilege Escalation
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.
CVSS 7.8
CVE-2015-3636 WRITEUP
Linux kernel <4.0.3 - Use After Free
The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.
CVE-2015-3649 WRITEUP HIGH
open-uri-cached RubyGem - Local Cache Directory Ruby Code Execution
The open-uri-cached rubygem allows local users to execute arbitrary Ruby code by creating a directory under /tmp containing "openuri-" followed by a crafted UID, and putting Ruby code in said directory once a meta file is created.
CVSS 7.8
CVE-2015-3887 WRITEUP HIGH
ProxyChains-NG <4.9 - Privilege Escalation
Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path.
CVSS 7.8
CVE-2015-3905 WRITEUP
t1utils <1.39 - Buffer Overflow
Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before 1.39 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVE-2015-4054 WRITEUP HIGH
pgbouncer < 1.5.4 - Denial of Service via Password Packet Before Startup Packet
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet.
CVSS 7.5
CVE-2015-4411 WRITEUP HIGH
mongodb/bson < 3.0.4 - Denial of Service via Crafted String in ObjectId.legal?
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410.
CVSS 7.5
CVE-2015-4425 WRITEUP
pimcore < build 3473 - Authenticated Path Traversal and Arbitrary File Write via Admin Asset Compatibility Endpoint
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.
CVE-2015-4590 WRITEUP
ArduinoJson < 4.4 - Denial of Service via Malformed JSON String
The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a \ (backslash) followed by a terminator, as demonstrated by "\\\0", which triggers a buffer overflow and over-read.
CVE-2015-4628 WRITEUP
LimeSurvey < 2.06+ - Authenticated SQL Injection via sid Parameter
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.
CVE-2015-4706 WRITEUP MEDIUM
IPython 3.x < 3.2 - Cross-Site Scripting via JSON Error Messages
Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path.
CVSS 6.1
CVE-2015-4707 WRITEUP MEDIUM
IPython < 3.2.0 - Cross-Site Scripting via JSON Error Messages
Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path.
CVSS 6.1
CVE-2015-5059 WRITEUP MEDIUM
MantisBT < 1.2.19 - Authenticated Unauthorized File Download via Project Documentation Feature
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php.
CVSS 5.3
CVE-2015-5074 WRITEUP
X2Engine X2CRM < 5.0.8 - Authenticated Arbitrary File Upload via .pht Extension
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
CVE-2015-5195 WRITEUP HIGH
Fedora < 4.2.7 - Improper Input Validation
ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
CVSS 7.5
CVE-2015-5218 WRITEUP
util-linux < 2.27 - Denial of Service via Crafted File in colcrt
Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.
CVE-2015-5232 WRITEUP HIGH
opa-fm <10.4.0.0.196, opa-ff <10.4.0.0.197 - Use After Free
Race conditions in opa-fm before 10.4.0.0.196 and opa-ff before 10.4.0.0.197.
CVSS 8.1
CVE-2015-5263 WRITEUP HIGH
pulp-consumer-client <2.7 - Info Disclosure
pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.
CVSS 8.1