Writeup Exploits

62,853 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-16792 WRITEUP MEDIUM
geminabox < 0.13.10 - Stored Cross-Site Scripting via Gemspec Homepage Value
Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in a Box) before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb.
CVSS 6.1
CVE-2017-16806 WRITEUP HIGH
Ulterius Server < 1.9.5.0 - Directory Traversal
The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.
CVSS 7.5
CVE-2017-16876 WRITEUP MEDIUM
mistune < 0.8.1 - Cross-Site Scripting via _keyify Function
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument.
CVSS 6.1
CVE-2017-16939 WRITEUP HIGH
Linux kernel <4.13.11 - Privilege Escalation/DoS
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.
CVSS 7.8
CVE-2017-16943 WRITEUP CRITICAL
Exim 4.88-4.89 - Remote Code Execution via BDAT Command Use-After-Free
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
CVSS 9.8
CVE-2017-16994 WRITEUP MEDIUM
Linux Kernel <4.14.2 - Info Disclosure
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
CVSS 5.5
CVE-2017-16995 WRITEUP HIGH
Linux BPF Sign Extension Local Privilege Escalation
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVSS 7.8
CVE-2017-17097 WRITEUP CRITICAL
GPS Tracking Software 2.x - Info Disclosure
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.
CVSS 9.8
CVE-2017-17098 WRITEUP CRITICAL
GPS Tracking Software <3.0 - Code Injection
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php system($_GET[cmd]); ?> in a login request.
CVSS 9.8
CVE-2017-17476 WRITEUP HIGH
OTRS 4.0.x < 4.0.28, 5.0.x < 5.0.26, 6.0.x < 6.0.3 - Session Hijacking via Crafted Email
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
CVSS 8.8
CVE-2017-17485 WRITEUP CRITICAL
jackson-databind < 2.6.7.3, 2.9.0-2.9.3 - Unauthenticated Remote Code Execution via Malicious JSON Input
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
CVSS 9.8
CVE-2017-17499 WRITEUP CRITICAL
ImageMagick 7.0.0-0-7.0.7-12 - Use-After-Free in Magick::Image::read
ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.
CVSS 9.8
CVE-2017-17562 WRITEUP HIGH
Embedthis GoAhead <3.6.5 - Remote Code Execution
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
CVSS 8.1
CVE-2017-17562 WRITEUP HIGH
Embedthis GoAhead <3.6.5 - Remote Code Execution
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
CVSS 8.1
CVE-2017-17848 WRITEUP HIGH
Enigmail < 1.9.9 - Cryptographic Signature Spoofing via Multipart/Related Message Handling
An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text.
CVSS 7.5
CVE-2017-17898 WRITEUP HIGH
Dolibarr ERP/CRM 6.0.4 - Exposure of Sensitive Information via Direct TPL.PHP File Access
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
CVSS 7.5
CVE-2017-18016 WRITEUP MEDIUM
Parity Browser <= 1.6.10 - Origin Validation Error via Web Proxy Engine
Parity Browser 1.6.10 and earlier allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by requesting other websites via the Parity web proxy engine (reusing the current website's token, which is not bound to an origin).
CVSS 5.3
CVE-2017-18026 WRITEUP HIGH
Redmine <3.2.9, 3.3.x <3.3.6, 3.4.x <3.4.4 - RCE
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
CVSS 8.8
CVE-2017-18174 WRITEUP CRITICAL
Linux Kernel < 4.7 - Use-After-Free in amd_gpio_remove
In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.
CVSS 9.8
CVE-2017-18187 WRITEUP CRITICAL
ARM mbed TLS < 2.7.0 - Integer Overflow in PSK Identity Parsing
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.
CVSS 9.8
CVE-2017-18195 WRITEUP MEDIUM
Concrete CMS < 8.3.0 - Unauthenticated Comment Enumeration via cnvID Parameter
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
CVSS 5.3
CVE-2017-18344 WRITEUP MEDIUM
Linux Kernel < 4.14.8 - Out-of-bounds Read via timer_create sigev_notify Field
The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE).
CVSS 5.5
CVE-2017-18635 WRITEUP MEDIUM
noVNC < 0.6.2 - Cross-Site Scripting via VNC Server Status Field
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
CVSS 6.1
CVE-2017-18635 WRITEUP MEDIUM
noVNC < 0.6.2 - Cross-Site Scripting via VNC Server Status Field
An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
CVSS 6.1
CVE-2017-20005 WRITEUP CRITICAL
NGINX < 1.13.6 - Buffer Overflow in Autoindex Module via Four-Digit Year Handling
NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.
CVSS 9.8