Writeup Exploits
62,851 exploits tracked across all sources.
tcpdump < 4.9.2 - Out-of-bounds Read in IEEE 802.11 Parser
The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IEEE 802.15.4 Parser
The IEEE 802.15.4 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_15_4.c:ieee802_15_4_if_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in Juniper Protocols Parser
The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over-read in print-juniper.c:juniper_parse_header().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in VTP Parser
The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print-vtp.c:vtp_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IPv6 Mobility Parser
The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in BOOTP Parser
The BOOTP parser in tcpdump before 4.9.2 has a buffer over-read in print-bootp.c:bootp_print().
CVSS 9.8
ImageMagick < 6.9.9-0 and 7.x < 7.0.6-1 - Denial of Service via Crafted PNG File
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.
CVSS 6.5
ImageMagick < 6.9.8-8 and 7.x < 7.0.5-9 - Denial of Service via JP2 Channel Geometry Validation
In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image function in coders/jp2.c does not properly validate the channel geometry, leading to a crash.
CVSS 6.5
tcpdump < 4.9.2 - Out-of-bounds Read in Cisco HDLC Parser
The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read in print-chdlc.c:chdlc_print().
CVSS 9.8
tcpdump < 4.9.2 - Out-of-bounds Read in IPv6 Routing Header Parser
The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer over-read in print-rt6.c:rt6_print().
CVSS 9.8
ARM mbed TLS < 1.3.21 and 2.x < 2.1.9 - Authentication Bypass via X.509 Certificate Chain
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
CVSS 8.1
Libidn2 < 2.0.3 - Integer Overflow in _isBidi Function
Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS 9.8
Libidn2 < 2.0.4 - Integer Overflow in decode_digit Function
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS 9.8
Kaltura Server < mercury-13.1.0 - Remote Code Execution via Hardcoded Cookie Secret
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
CVSS 9.8
ImageMagick 7.0.7-0 Q16 - Denial of Service via Crafted PSD File
In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.
CVSS 6.5
Samsung SRN-1670D, SRN-1000, SRN-472S, SRN-470D Firmware - Unauthenticated Admin Password Hash Exposure
On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.
CVSS 8.1
Honeywell Enterprise DVR and MaxPro NVR Firmware - Session Fixation via Guest Account Session ID
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
CVSS 8.1
EE 4GEE WiFi MBB < EE60_00_05.00_31 - CSRF
EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings.
CVSS 8.8
Newsbeuter 0.3-2.9 - Code Injection
Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
CVSS 8.8
Trixbox - 2.8.0.4 OS Command Injection
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
CVSS 8.8
Trixbox 2.8.0 - Path Traversal
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
CVSS 6.5
GNOME Nautilus <3.23.90 - Info Disclosure
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.
CVSS 6.5
phpmyfaq <= 2.9.8 - Stored Cross-Site Scripting via FAQ Title Field
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
CVSS 6.1
ERS Data System <1.8.1.0 - Code Injection
ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.
CVSS 9.8
WordPress < 4.8.2 - SQL Injection via $wpdb->prepare Placeholder Mishandling
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS 9.8
By Source