Writeup Exploits
62,769 exploits tracked across all sources.
CVE-2015-5287
WRITEUP
ABRT sosreport Privilege Escalation
The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) before 2.7.1 allows local users with certain permissions to gain privileges via a symlink attack on a file with a predictable name, as demonstrated by /var/tmp/abrt/abrt-hax-coredump or /var/spool/abrt/abrt-hax-coredump.
Elasticsearch < 1.6.1 - Remote Code Execution via Transport Protocol
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
CVSS 9.8
Roundcube Webmail <1.0.6, <1.1.2 - Info Disclosure
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
CVSS 6.5
IPython 2-3 - Cross-Site Request Forgery in REST API
Cross-site request forgery in the REST API in IPython 2 and 3.
CVSS 8.8
CVE-2015-5659
WRITEUP
Network Applied Communication Laboratory Pref Shimane CMS <2.0.1 - ...
SQL injection vulnerability in Network Applied Communication Laboratory Pref Shimane CMS 2.x before 2.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-5707
WRITEUP
Linux Kernel 2.6.0-4.0 - Integer Overflow in sg_start_req via Large iov_count Value
Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.
CVE-2015-6031
WRITEUP
MiniUPnPc <1.9.20150917 - Buffer Overflow
Buffer overflow in the IGDstartelt function in igd_desc_parse.c in the MiniUPnP client (aka MiniUPnPc) before 1.9.20150917 allows remote UPNP servers to cause a denial of service (application crash) and possibly execute arbitrary code via an "oversized" XML element name.
Ansible < 1.9.2 - Symlink Attack via Chroot, Jail, and Zone Connection Plugins
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
CVSS 7.8
CVE-2015-6545
WRITEUP
Cerb < 7.0.3 - Cross-Site Request Forgery via ajax.php saveWorkerPeek Action
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action.
Wolf CMS < 0.8.3.1 - Authenticated Arbitrary File Upload and PHP Code Execution via File Manager
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access to upload functionality.
CVSS 8.8
Wolf CMS < 0.8.3.1 - Authenticated Arbitrary File Upload and PHP Code Execution via File Manager
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality.
CVSS 8.8
CVE-2015-6830
WRITEUP
phpMyAdmin 4.3.x-4.3.13.1 & 4.4.x-4.4.14.0 - Brute-Force Protection Bypass via reCaptcha
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha.
CVE-2015-6938
WRITEUP
Jupyter Notebook < 4.0.5 - Cross-Site Scripting via Folder Name
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
CVE-2015-7254
WRITEUP
Huawei HG532e, HG532n, and HG532s - Path Traversal via Icon URI
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
Milton Webdav < 2.7.0.1 - XML External Entity Injection
XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
CVSS 9.8
Git < 2.3.10, 2.4.x < 2.4.10, 2.5.x < 2.5.4, 2.6.x < 2.6.1 - Remote Code Execution via Remote Helper Protocols
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
CVSS 9.8
Linux Kernel < 4.4.1 - Denial of Service via USB Device Without Bulk-Out Endpoint
The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
CVSS 4.6
CVE-2015-7872
WRITEUP
Linux Kernel < 4.2.6 - Denial of Service via Keyctl Commands
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
lldpd < 0.8.0 - Denial of Service via Malformed Packet
lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.
CVSS 7.5
KNX ETS 4.1.5 Build 3246 - Remote Code Execution via Crafted KNXnet/IP UDP Packet
Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet.
CVSS 9.8
Cherry Music <0.36.0 - Path Traversal
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
CVSS 4.3
Composer <2016-02-10 - Cache Poisoning
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
CVSS 8.8
PHP 7.x < 7.0.1 - Remote Code Execution via Format String Specifiers in Class Name
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
CVSS 9.8
libEBML < 1.3.3 - Use-After-Free via Deeply Nested EBML Element
Use-after-free vulnerability in the EbmlMaster::Read function in libEBML before 1.3.3 allows context-dependent attackers to have unspecified impact via a "deeply nested element with infinite size" followed by another element of an upper level in an EBML document.
CVSS 9.6
libmatroska < 1.4.4 - Heap Memory Information Disclosure via Crafted EBML Lacing
The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 allows context-dependent attackers to obtain sensitive information from process heap memory via crafted EBML lacing, which triggers an invalid memory access.
CVSS 5.3
By Source