Writeup Exploits

62,853 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-20155 WRITEUP LOW
Sterc Google Analytics Dashboard for MODX <1.0.5 - XSS
A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl of the component Internal Search. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.0.6 is able to address this issue. The identifier of the patch is 855d9560d3782c105568eedf9b22a769fbf29cc0. It is recommended to upgrade the affected component. The identifier VDB-217069 was assigned to this vulnerability.
CVSS 3.5
CVE-2017-20165 WRITEUP LOW
debug < 3.1.0 - Inefficient Regular Expression Complexity in useColors Function
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.
CVSS 3.5
CVE-2017-2298 WRITEUP MEDIUM
mcollective-sshkey-security <0.5.1 - Path Traversal
The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem".
CVSS 6.5
CVE-2017-2671 WRITEUP MEDIUM
Linux Kernel < 4.10.8 - Denial of Service via ICMP Socket Protocol Value
The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.
CVSS 5.5
CVE-2017-2671 WRITEUP MEDIUM
Linux Kernel < 4.10.8 - Denial of Service via ICMP Socket Protocol Value
The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.
CVSS 5.5
CVE-2017-2809 WRITEUP HIGH
ansible-vault < 1.0.5 - Remote Code Execution via YAML Loading
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
CVSS 7.5
CVE-2017-3197 WRITEUP CRITICAL
GIGABYTE BRIX UEFI - Info Disclosure
GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash.
CVSS 9.8
CVE-2017-3730 WRITEUP HIGH
OpenSSL 1.1.0 - Denial of Service via NULL Pointer Dereference in DHE/ECDHE Key Exchange
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.
CVSS 7.5
CVE-2017-4952 WRITEUP HIGH
VMware Xenon <1.5.4-1.5.7 - Auth Bypass
VMware Xenon 1.x, prior to 1.5.4-CR7_1, 1.5.7_7, 1.5.4-CR6_2, 1.3.7-CR1_2, 1.1.0-CR0-3, 1.1.0-CR3_1,1.4.2-CR4_1, and 1.5.4_8, contains an authentication bypass vulnerability due to insufficient access controls for utility endpoints. Successful exploitation of this issue may result in information disclosure.
CVSS 7.5
CVE-2017-5223 WRITEUP MEDIUM
PHPMailer < 5.2.22 - Unauthenticated Sensitive Information Exposure via msgHTML Image Attachment Handling
An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.
CVSS 5.5
CVE-2017-5344 WRITEUP CRITICAL
dotcms < 3.6.1 - Unauthenticated SQL Injection via categoriesServlet q/inode Parameters
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment.
CVSS 9.8
CVE-2017-5473 WRITEUP HIGH
ntopng < 2.4 - Cross-Site Request Forgery via User Management Endpoints
Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.
CVSS 8.8
CVE-2017-5487 WRITEUP MEDIUM
WordPress < 4.7.1 - Unauthorized User Information Exposure via REST API
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
CVSS 5.3
CVE-2017-5507 WRITEUP HIGH
ImageMagick - Memory Leak in MPC Coder
Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a denial of service (memory consumption) via vectors involving a pixel cache.
CVSS 7.5
CVE-2017-5508 WRITEUP MEDIUM
ImageMagick - Heap-based Buffer Overflow in PushQuantumPixel via Crafted TIFF File
Heap-based buffer overflow in the PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x before 7.0.4-3 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF file.
CVSS 5.5
CVE-2017-5509 WRITEUP HIGH
ImageMagick < 6.9.7-4 - Out-of-bounds Write via PSD File
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
CVSS 7.8
CVE-2017-5510 WRITEUP HIGH
ImageMagick < 6.9.7-4 - Out-of-bounds Write via Crafted PSD File
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
CVSS 7.8
CVE-2017-5511 WRITEUP CRITICAL
ImageMagick < 6.9.7-3 - Heap-Based Buffer Overflow in PSD Coder
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact by leveraging an improper cast, which triggers a heap-based buffer overflow.
CVSS 9.8
CVE-2017-5537 WRITEUP MEDIUM
Weblate < 2.10.1 - User Enumeration via Password Reset Error Messages
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
CVSS 5.3
CVE-2017-5594 WRITEUP HIGH
Pagekit < 1.0.11 - Unauthenticated Password Reset via Debug Toolbar
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
CVSS 7.5
CVE-2017-5669 WRITEUP HIGH
Linux kernel <4.9.12 - Local Privilege Escalation
The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
CVSS 7.8
CVE-2017-5850 WRITEUP HIGH
OpenBSD httpd - Denial of Service via HTTP Range Header
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.
CVSS 7.5
CVE-2017-5930 WRITEUP LOW
Opensuse Leap < 3.0.2 - Missing Authorization
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
CVSS 2.7
CVE-2017-5940 WRITEUP HIGH
Firejail 0.9.38-0.9.38.9 LTS and 0.9.40-0.9.44.5 - Sandbox Escape via Symlink and --private Option
Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.
CVSS 8.8
CVE-2017-6074 WRITEUP HIGH
Linux Kernel < 3.2.86 - Double Free in DCCP Packet Processing
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
CVSS 7.8