Writeup Exploits
62,769 exploits tracked across all sources.
Automatic Bug Reporting Tool - Privilege Escalation via Environment Variable Handling
The abrt-action-install-debuginfo-to-abrt-cache help program in Automatic Bug Reporting Tool (ABRT) does not properly handle the process environment before invoking abrt-action-install-debuginfo, which allows local users to gain privileges.
CVSS 7.8
CVE-2015-3183
WRITEUP
Apache HTTP Server 2.2.0-2.2.30 - HTTP Request Smuggling via Chunked Transfer Coding
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
CVE-2015-3185
WRITEUP
Apache HTTP Server <2.4.14 - Auth Bypass
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
CVE-2015-3202
WRITEUP
FUSE <2.9.3-15 - Local Privilege Escalation
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.
CVE-2015-3214
WRITEUP
Linux kernel <2.6.33 & QEMU <2.3.1 - Use After Free
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
virtio-win - Denial of Service via Crafted IP Packet Length
The NetKVM Windows Virtio driver allows remote attackers to cause a denial of service (guest crash) via a crafted length value in an IP packet, as demonstrated by a value that does not account for the size of the IP options.
CVSS 7.5
CVE-2015-3290
WRITEUP
Linux kernel <4.1.6 - Privilege Escalation
arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform improperly relies on espfix64 during nested NMI processing, which allows local users to gain privileges by triggering an NMI within a certain instruction window.
ABRT raceabrt Privilege Escalation
Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp/jvm-*/hs_error.log, (3) /proc/*/exe, (4) /etc/os-release in a chroot, or (5) an unspecified root directory related to librpm.
CVSS 7.8
CVE-2015-3636
WRITEUP
Linux kernel <4.0.3 - Use After Free
The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.
open-uri-cached RubyGem - Local Cache Directory Ruby Code Execution
The open-uri-cached rubygem allows local users to execute arbitrary Ruby code by creating a directory under /tmp containing "openuri-" followed by a crafted UID, and putting Ruby code in said directory once a meta file is created.
CVSS 7.8
ProxyChains-NG <4.9 - Privilege Escalation
Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path.
CVSS 7.8
CVE-2015-3905
WRITEUP
t1utils <1.39 - Buffer Overflow
Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before 1.39 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
pgbouncer < 1.5.4 - Denial of Service via Password Packet Before Startup Packet
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet.
CVSS 7.5
mongodb/bson < 3.0.4 - Denial of Service via Crafted String in ObjectId.legal?
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410.
CVSS 7.5
CVE-2015-4425
WRITEUP
pimcore < build 3473 - Authenticated Path Traversal and Arbitrary File Write via Admin Asset Compatibility Endpoint
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.
CVE-2015-4590
WRITEUP
ArduinoJson < 4.4 - Denial of Service via Malformed JSON String
The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a \ (backslash) followed by a terminator, as demonstrated by "\\\0", which triggers a buffer overflow and over-read.
CVE-2015-4628
WRITEUP
LimeSurvey < 2.06+ - Authenticated SQL Injection via sid Parameter
SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.
IPython 3.x < 3.2 - Cross-Site Scripting via JSON Error Messages
Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path.
CVSS 6.1
IPython < 3.2.0 - Cross-Site Scripting via JSON Error Messages
Cross-site scripting (XSS) vulnerability in IPython before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/notebooks path.
CVSS 6.1
MantisBT < 1.2.19 - Authenticated Unauthorized File Download via Project Documentation Feature
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php.
CVSS 5.3
CVE-2015-5074
WRITEUP
X2Engine X2CRM < 5.0.8 - Authenticated Arbitrary File Upload via .pht Extension
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
Fedora < 4.2.7 - Improper Input Validation
ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
CVSS 7.5
CVE-2015-5218
WRITEUP
util-linux < 2.27 - Denial of Service via Crafted File in colcrt
Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable.
opa-fm <10.4.0.0.196, opa-ff <10.4.0.0.197 - Use After Free
Race conditions in opa-fm before 10.4.0.0.196 and opa-ff before 10.4.0.0.197.
CVSS 8.1
pulp-consumer-client <2.7 - Info Disclosure
pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.
CVSS 8.1
By Source