Writeup Exploits

62,769 exploits tracked across all sources.

Sort: Activity Stars
CVE-2015-5287 WRITEUP
ABRT sosreport Privilege Escalation
The abrt-hook-ccpp help program in Automatic Bug Reporting Tool (ABRT) before 2.7.1 allows local users with certain permissions to gain privileges via a symlink attack on a file with a predictable name, as demonstrated by /var/tmp/abrt/abrt-hax-coredump or /var/spool/abrt/abrt-hax-coredump.
CVE-2015-5377 WRITEUP CRITICAL
Elasticsearch < 1.6.1 - Remote Code Execution via Transport Protocol
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
CVSS 9.8
CVE-2015-5382 WRITEUP MEDIUM
Roundcube Webmail <1.0.6, <1.1.2 - Info Disclosure
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
CVSS 6.5
CVE-2015-5607 WRITEUP HIGH
IPython 2-3 - Cross-Site Request Forgery in REST API
Cross-site request forgery in the REST API in IPython 2 and 3.
CVSS 8.8
CVE-2015-5659 WRITEUP
Network Applied Communication Laboratory Pref Shimane CMS <2.0.1 - ...
SQL injection vulnerability in Network Applied Communication Laboratory Pref Shimane CMS 2.x before 2.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-5707 WRITEUP
Linux Kernel 2.6.0-4.0 - Integer Overflow in sg_start_req via Large iov_count Value
Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request.
CVE-2015-6031 WRITEUP
MiniUPnPc <1.9.20150917 - Buffer Overflow
Buffer overflow in the IGDstartelt function in igd_desc_parse.c in the MiniUPnP client (aka MiniUPnPc) before 1.9.20150917 allows remote UPNP servers to cause a denial of service (application crash) and possibly execute arbitrary code via an "oversized" XML element name.
CVE-2015-6240 WRITEUP HIGH
Ansible < 1.9.2 - Symlink Attack via Chroot, Jail, and Zone Connection Plugins
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
CVSS 7.8
CVE-2015-6545 WRITEUP
Cerb < 7.0.3 - Cross-Site Request Forgery via ajax.php saveWorkerPeek Action
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action.
CVE-2015-6567 WRITEUP HIGH
Wolf CMS < 0.8.3.1 - Authenticated Arbitrary File Upload and PHP Code Execution via File Manager
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access to upload functionality.
CVSS 8.8
CVE-2015-6568 WRITEUP HIGH
Wolf CMS < 0.8.3.1 - Authenticated Arbitrary File Upload and PHP Code Execution via File Manager
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality.
CVSS 8.8
CVE-2015-6830 WRITEUP
phpMyAdmin 4.3.x-4.3.13.1 & 4.4.x-4.4.14.0 - Brute-Force Protection Bypass via reCaptcha
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha.
CVE-2015-6938 WRITEUP
Jupyter Notebook < 4.0.5 - Cross-Site Scripting via Folder Name
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
CVE-2015-7254 WRITEUP
Huawei HG532e, HG532n, and HG532s - Path Traversal via Icon URI
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
CVE-2015-7326 WRITEUP CRITICAL
Milton Webdav < 2.7.0.1 - XML External Entity Injection
XML External Entity (XXE) vulnerability in Milton Webdav before 2.7.0.3.
CVSS 9.8
CVE-2015-7545 WRITEUP CRITICAL
Git < 2.3.10, 2.4.x < 2.4.10, 2.5.x < 2.5.4, 2.6.x < 2.6.1 - Remote Code Execution via Remote Helper Protocols
The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
CVSS 9.8
CVE-2015-7566 WRITEUP MEDIUM
Linux Kernel < 4.4.1 - Denial of Service via USB Device Without Bulk-Out Endpoint
The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
CVSS 4.6
CVE-2015-7872 WRITEUP
Linux Kernel < 4.2.6 - Denial of Service via Keyctl Commands
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
CVE-2015-8012 WRITEUP HIGH
lldpd < 0.8.0 - Denial of Service via Malformed Packet
lldpd before 0.8.0 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via a malformed packet.
CVSS 7.5
CVE-2015-8299 WRITEUP CRITICAL
KNX ETS 4.1.5 Build 3246 - Remote Code Execution via Crafted KNXnet/IP UDP Packet
Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet.
CVSS 9.8
CVE-2015-8309 WRITEUP MEDIUM
Cherry Music <0.36.0 - Path Traversal
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
CVSS 4.3
CVE-2015-8371 WRITEUP HIGH
Composer <2016-02-10 - Cache Poisoning
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.
CVSS 8.8
CVE-2015-8617 WRITEUP CRITICAL
PHP 7.x < 7.0.1 - Remote Code Execution via Format String Specifiers in Class Name
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
CVSS 9.8
CVE-2015-8789 WRITEUP CRITICAL
libEBML < 1.3.3 - Use-After-Free via Deeply Nested EBML Element
Use-after-free vulnerability in the EbmlMaster::Read function in libEBML before 1.3.3 allows context-dependent attackers to have unspecified impact via a "deeply nested element with infinite size" followed by another element of an upper level in an EBML document.
CVSS 9.6
CVE-2015-8792 WRITEUP MEDIUM
libmatroska < 1.4.4 - Heap Memory Information Disclosure via Crafted EBML Lacing
The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 allows context-dependent attackers to obtain sensitive information from process heap memory via crafted EBML lacing, which triggers an invalid memory access.
CVSS 5.3