Writeup Exploits

62,786 exploits tracked across all sources.

Sort: Activity Stars
CVE-2015-9323 WRITEUP CRITICAL
404_to_301 < 2.0.3 - SQL Injection
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
CVSS 9.8
CVE-2015-9499 WRITEUP CRITICAL
Showbiz Pro < 1.7.1 - Unauthenticated PHP File Upload via ZIP Archive
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
CVSS 9.8
CVE-2016-0721 WRITEUP HIGH
pcs < 0.9.157 - Session Fixation
Session fixation vulnerability in pcsd in pcs before 0.9.157.
CVSS 8.1
CVE-2016-0728 WRITEUP HIGH
Linux kernel <4.4.1 - Privilege Escalation/DoS
The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
CVSS 7.8
CVE-2016-0740 WRITEUP MEDIUM
Pillow < 3.1.1 - Buffer Overflow in TIFF Image Decoding
Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.
CVSS 6.5
CVE-2016-0775 WRITEUP MEDIUM
Pillow < 3.1.1 - Buffer Overflow in FLI File Decoder
Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.
CVSS 6.5
CVE-2016-1000003 WRITEUP CRITICAL
mirror_manager < 0.7.2 - Remote Code Execution in Checkin Code
Mirror Manager version 0.7.2 and older is vulnerable to remote code execution in the checkin code.
CVSS 9.8
CVE-2016-1000232 WRITEUP MEDIUM
tough-cookie < 2.3.0 - Denial of Service via HTTP Cookie Header Parsing
NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.
CVSS 5.3
CVE-2016-1000339 WRITEUP MEDIUM
Bouncy Castle JCE Provider <1.55 - Info Disclosure
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
CVSS 5.3
CVE-2016-10009 WRITEUP HIGH
OpenSSH < 7.3 - Remote Code Execution via Forwarded SSH-Agent PKCS#11 Module Loading
Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.
CVSS 7.3
CVE-2016-10010 WRITEUP HIGH
OpenSSH <7.4 - Privilege Escalation
sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.
CVSS 7.0
CVE-2016-10027 WRITEUP MEDIUM
Smack <4.1.9 - Privilege Escalation
Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response.
CVSS 5.9
CVE-2016-10074 WRITEUP CRITICAL
SwiftMailer < 5.4.5 - Remote Code Execution via Mail Command Parameter Injection
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
CVSS 9.8
CVE-2016-10105 WRITEUP CRITICAL
Piwigo < 2.8.3 - Unauthenticated Exposure of Sensitive Information via admin/plugin.php
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
CVSS 9.8
CVE-2016-10114 WRITEUP CRITICAL
aWeb Cart Watching System <2.6.1 - SQL Injection
SQL injection vulnerability in the "aWeb Cart Watching System for Virtuemart" extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch.
CVSS 9.8
CVE-2016-10128 WRITEUP CRITICAL
libgit2 <0.24.6, <0.25.1 - Buffer Overflow
Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet.
CVSS 9.8
CVE-2016-10129 WRITEUP HIGH
libgit2 < 0.24.6 and 0.25.x < 0.25.1 - Denial of Service via Empty Packet Line
The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line.
CVSS 7.5
CVE-2016-10130 WRITEUP MEDIUM
libgit2 <0.24.6, <0.25.1 - Info Disclosure
The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable.
CVSS 5.9
CVE-2016-10140 WRITEUP HIGH
Apache HTTP Server/ZoneMinder <1.30-1.29 - Info Disclosure
Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.
CVSS 7.5
CVE-2016-10156 WRITEUP HIGH
systemd <v229 - Privilege Escalation
A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229.
CVSS 7.8
CVE-2016-10195 WRITEUP CRITICAL
libevent < 2.1.6-beta - Out-of-bounds Read in evdns.c name_parse Function
The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read.
CVSS 9.8
CVE-2016-10196 WRITEUP HIGH
Debian Linux < 2.1.5 - Out-of-Bounds Write
Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.
CVSS 7.5
CVE-2016-10197 WRITEUP HIGH
Debian Linux < 2.1.5 - Out-of-Bounds Read
The search_make_new function in evdns.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (out-of-bounds read) via an empty hostname.
CVSS 7.5
CVE-2016-10223 WRITEUP MEDIUM
BigTree CMS < 4.2.14 - Cross-Site Scripting via Dashboard Module Integrity Check ID Parameter
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
CVSS 5.4
CVE-2016-10345 WRITEUP HIGH
Phusion Passenger < 5.1.0 - Privilege Escalation via Predictable /tmp Filename
In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.
CVSS 7.8