Writeup Exploits
62,851 exploits tracked across all sources.
python-fedora <0.8.0 - Open Redirect
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
CVSS 6.1
Linux Kernel < 4.10.15 - Use-After-Free via Timerfd Race Condition
Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
CVSS 7.0
Piwigo < 2.9.1 - SQL Injection via cat_false or cat_true Parameter
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CVSS 9.8
PHP < 5.6.31, 7.x < 7.0.17, 7.1.x < 7.1.3 - Denial of Service via Long Form Variables
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVSS 7.5
Linux Kernel <= 4.11.9 - Use-After-Free in mq_notify Netlink Socket Handling
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
CVSS 7.8
ImageMagick < 6.9.9-0 - Denial of Service via Unvalidated Blob Size in MPC Coder
coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin.
CVSS 8.8
ImageMagick < 6.9.9-0 and 7.x through 7.0.6-1 - Denial of Service via Crafted TXT File
The ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop) via a crafted file, because the end-of-file condition is not considered.
CVSS 6.5
WildMIDI 0.4.2 - Denial of Service via Crafted MIDI File
The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service (invalid memory read and application crash) via a crafted mid file.
CVSS 6.5
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
MantisBT < 1.3.12 and 2.x < 2.5.2 - Cross-Site Scripting via Installation Script Variables
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
CVSS 6.1
Linux kernel <4.13.8 - Memory Corruption
The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.
CVSS 6.5
GitLab CE/EE <8.17.8, <9.0.13, <9.1.10, <9.2.10, <9.3.10, <9.4.4 - RCE
GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
CVSS 8.8
rsyslog < 8.27.0 - Format String Vulnerability in ZMQ3 Input/Output Modules
The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.
CVSS 9.8
NexusPHP 1.5 - Cross-Site Request Forgery and Cross-Site Scripting via Linksmanage.php Parameters
Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.
CVSS 6.1
Cyrus IMAP < 3.0.3 - Authenticated Arbitrary File Write via SYNCAPPLY, SYNCGET, or SYNCRESTORE Command
Cyrus IMAP before 3.0.3 allows remote authenticated users to write to arbitrary files via a crafted (1) SYNCAPPLY, (2) SYNCGET or (3) SYNCRESTORE command.
CVSS 6.5
Nagios Core <4.3.3 - Privilege Escalation
Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command.
CVSS 6.3
numpy < 1.13.1 - Denial of Service via Empty Input to numpy.pad
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.
CVSS 7.5
tcpdump < 4.9.2 - Out-of-bounds Read in ISAKMP Parser
The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in print-isakmp.c:isakmp_rfc3948_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in DECnet Parser
The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in print-decnet.c:decnet_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in Zephyr Parser
The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in print-zephyr.c, several functions.
CVSS 9.8
nimbus_jose+jwt - HMAC Bypass via Integer Overflow in Byte-to-Bit Conversion
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
CVSS 7.5
Nimbus JOSE+JWT <4.39 - Info Disclosure
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
CVSS 3.1
Nimbus JOSE+JWT < 4.36 - Invalid Curve Attack via ECKey Construction
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
CVSS 7.5
Cacti < 1.1.17 - Authenticated Cross-Site Scripting via External Link Title Field
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVSS 5.4
By Source