Writeup Exploits

62,851 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-1002150 WRITEUP MEDIUM
python-fedora <0.8.0 - Open Redirect
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
CVSS 6.1
CVE-2017-10661 WRITEUP HIGH
Linux Kernel < 4.10.15 - Use-After-Free via Timerfd Race Condition
Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
CVSS 7.0
CVE-2017-10682 WRITEUP CRITICAL
Piwigo < 2.9.1 - SQL Injection via cat_false or cat_true Parameter
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CVSS 9.8
CVE-2017-11142 WRITEUP HIGH
PHP < 5.6.31, 7.x < 7.0.17, 7.1.x < 7.1.3 - Denial of Service via Long Form Variables
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVSS 7.5
CVE-2017-11176 WRITEUP HIGH
Linux Kernel <= 4.11.9 - Use-After-Free in mq_notify Netlink Socket Handling
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
CVSS 7.8
CVE-2017-11449 WRITEUP HIGH
ImageMagick < 6.9.9-0 - Denial of Service via Unvalidated Blob Size in MPC Coder
coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin.
CVSS 8.8
CVE-2017-11523 WRITEUP MEDIUM
ImageMagick < 6.9.9-0 and 7.x through 7.0.6-1 - Denial of Service via Crafted TXT File
The ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop) via a crafted file, because the end-of-file condition is not considered.
CVSS 6.5
CVE-2017-11664 WRITEUP MEDIUM
WildMIDI 0.4.2 - Denial of Service via Crafted MIDI File
The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service (invalid memory read and application crash) via a crafted mid file.
CVSS 6.5
CVE-2017-11882 WRITEUP HIGH
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
CVE-2017-11882 WRITEUP HIGH
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
CVE-2017-12061 WRITEUP MEDIUM
MantisBT < 1.3.12 and 2.x < 2.5.2 - Cross-Site Scripting via Installation Script Variables
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
CVSS 6.1
CVE-2017-12190 WRITEUP MEDIUM
Linux kernel <4.13.8 - Memory Corruption
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
CVSS 6.5
CVE-2017-12426 WRITEUP HIGH
GitLab CE/EE <8.17.8, <9.0.13, <9.1.10, <9.2.10, <9.3.10, <9.4.4 - RCE
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
CVSS 8.8
CVE-2017-12588 WRITEUP CRITICAL
rsyslog < 8.27.0 - Format String Vulnerability in ZMQ3 Input/Output Modules
The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.
CVSS 9.8
CVE-2017-12792 WRITEUP MEDIUM
NexusPHP 1.5 - Cross-Site Request Forgery and Cross-Site Scripting via Linksmanage.php Parameters
Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.
CVSS 6.1
CVE-2017-12843 WRITEUP MEDIUM
Cyrus IMAP < 3.0.3 - Authenticated Arbitrary File Write via SYNCAPPLY, SYNCGET, or SYNCRESTORE Command
Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) SYNCGET or (3) SYNCRESTORE command.
CVSS 6.5
CVE-2017-12847 WRITEUP MEDIUM
Nagios Core <4.3.3 - Privilege Escalation
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command.
CVSS 6.3
CVE-2017-12852 WRITEUP HIGH
numpy < 1.13.1 - Denial of Service via Empty Input to numpy.pad
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.
CVSS 7.5
CVE-2017-12896 WRITEUP CRITICAL
tcpdump < 4.9.2 - Out-of-bounds Read in ISAKMP Parser
The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c:isakmp_rfc3948_print().
CVSS 9.8
CVE-2017-12899 WRITEUP CRITICAL
tcpdump < 4.9.2 - Out-of-bounds Read in DECnet Parser
The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in print-decnet.c:decnet_print().
CVSS 9.8
CVE-2017-12902 WRITEUP CRITICAL
tcpdump < 4.9.2 - Out-of-bounds Read in Zephyr Parser
The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in print-zephyr.c, several functions.
CVSS 9.8
CVE-2017-12972 WRITEUP HIGH
nimbus_jose+jwt - HMAC Bypass via Integer Overflow in Byte-to-Bit Conversion
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
CVSS 7.5
CVE-2017-12973 WRITEUP LOW
Nimbus JOSE+JWT <4.39 - Info Disclosure
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
CVSS 3.1
CVE-2017-12974 WRITEUP HIGH
Nimbus JOSE+JWT < 4.36 - Invalid Curve Attack via ECKey Construction
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
CVSS 7.5
CVE-2017-12978 WRITEUP MEDIUM
Cacti < 1.1.17 - Authenticated Cross-Site Scripting via External Link Title Field
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVSS 5.4