Writeup Exploits

62,851 exploits tracked across all sources.

Sort: Activity Stars
CVE-2016-9950 WRITEUP HIGH
Apport < 2.20.4 - Path Traversal via Package Hook Fields
An issue was discovered in Apport before 2.20.4. There is a path traversal issue in the Apport crash file "Package" and "SourcePackage" fields. These fields are used to build a path to the package specific hook files in the /usr/share/apport/package-hooks/ directory. An attacker can exploit this path traversal to execute arbitrary Python files from the local system.
CVSS 7.8
CVE-2016-9951 WRITEUP MEDIUM
Apport < 2.20.3 - Unauthenticated Command Execution via Malicious Crash File
An issue was discovered in Apport before 2.20.4. A malicious Apport crash file can contain a restart command in `RespawnCommand` or `ProcCmdline` fields. This command will be executed if a user clicks the Relaunch button on the Apport prompt from the malicious crash file. The fix is to only show the Relaunch button on Apport crash files generated by local systems. The Relaunch button will be hidden when crash files are opened directly in Apport-GTK.
CVSS 6.5
CVE-2017-0478 WRITEUP HIGH
Android 5.0.2 5.1.1 6.0 6.0.1 7.0 7.1.1 - Remote Code Execution via Framesequence Library
A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Framesequence library. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33718716.
CVSS 7.8
CVE-2017-0541 WRITEUP HIGH
Android 4.4.4-7.1.1 - Remote Code Execution via Crafted Media File in sonivox
A remote code execution vulnerability in sonivox in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34031018.
CVSS 7.8
CVE-2017-0899 WRITEUP CRITICAL
RubyGems < 2.6.13 - Terminal Escape Sequence Injection via Gem Specification
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
CVSS 9.8
CVE-2017-0901 WRITEUP HIGH
RubyGems < 2.6.13 - Arbitrary File Write via Specification Name Validation Bypass
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
CVSS 7.5
CVE-2017-0911 WRITEUP MEDIUM
Twitter Kit for iOS <3.2.1 - Open Redirect
Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter" authentication information is passed back to the application using the registered custom URL scheme (typically twitterkit-<consumer-key>) on iOS. Because the callback handler did not verify the authenticity of the response, this step is vulnerable to forgery, potentially allowing attacker to associate a Twitter account with a third-party service.
CVSS 5.4
CVE-2017-1000009 WRITEUP CRITICAL
Akeneo PIM CE/EE <1.6.6/<1.5.15/<1.4.28 - Code Injection
Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable to shell injection in the mass edition, resulting in remote execution.
CVSS 9.8
CVE-2017-1000083 WRITEUP HIGH
Evince CBT File Command Injection
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.
CVSS 7.8
CVE-2017-1000112 WRITEUP HIGH
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS 7.0
CVE-2017-1000215 WRITEUP CRITICAL
ROOT xrootd <4.6.0 - Command Injection
ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
CVSS 9.8
CVE-2017-1000249 WRITEUP MEDIUM
file - Stack-Based Buffer Overflow via Crafted ELF .notes Section
An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
CVSS 5.5
CVE-2017-1000251 WRITEUP HIGH
Linux Kernel 2.6.32-4.13.1 - Remote Code Execution via Bluetooth L2CAP Configuration Response
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
CVSS 8.0
CVE-2017-1000252 WRITEUP MEDIUM
Linux Kernel < 4.13.3 - Denial of Service via Out-of-Bounds Guest IRQ Value
The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.
CVSS 5.5
CVE-2017-1000380 WRITEUP MEDIUM
Linux kernel <4.11.5 - Info Disclosure
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
CVSS 5.5
CVE-2017-1000475 WRITEUP HIGH
FreeSSHd <1.3.1 - Privilege Escalation
FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.
CVSS 7.8
CVE-2017-1000479 WRITEUP HIGH
pfSense < 2.4.2 - Clickjacking via CSRF Error Page
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
CVSS 8.8
CVE-2017-1000487 WRITEUP CRITICAL
Plexus-utils <3.0.16 - Command Injection
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS 9.8
CVE-2017-1000501 WRITEUP CRITICAL
awstats < 7.6.0 - Unauthenticated Path Traversal and Remote Code Execution via Config and Migrate Parameters
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
CVSS 9.8
CVE-2017-1001000 WRITEUP HIGH
WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
CVSS 7.5
CVE-2017-1001000 WRITEUP HIGH
WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
CVSS 7.5
CVE-2017-1001002 WRITEUP CRITICAL
math.js < 3.17.0 - Remote Code Execution via Typed Function Name Injection
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVSS 9.8
CVE-2017-1001003 WRITEUP CRITICAL
mathjs < 3.17.0 - Prototype Pollution via Unicode Character Bypass
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
CVSS 9.8
CVE-2017-1001004 WRITEUP HIGH
typed-function < 0.10.6 - Remote Code Execution via Typed Function Name
typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVSS 8.8
CVE-2017-1002101 WRITEUP HIGH
Kubernetes <1.7.14, <1.8.9, <1.9.4 - Info Disclosure
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
CVSS 8.8