Inthewild Exploits

514 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-9276 INTHEWILD HIGH
PRTG Network Monitor < 18.2.39 - Authenticated OS Command Injection via Sensor or Notification Parameters
An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.
CVSS 7.2
CVE-2018-4121 INTHEWILD HIGH
Safari < 11.1 - Remote Code Execution via WebKit Memory Corruption
An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
CVSS 8.8
CVE-2018-19422 INTHEWILD HIGH
Subrion CMS < 4.2.2 - Remote Code Execution via .pht or .phar File Upload
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
CVSS 7.2
CVE-2018-18925 INTHEWILD CRITICAL
Gogs < 0.11.66 - Remote Code Execution via Session File Forgery
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
CVSS 9.8
CVE-2018-17431 INTHEWILD CRITICAL
Comodo Unified Threat Management Firewall < 2.7.0 - Unauthenticated Remote Code Execution
Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.
CVSS 9.8
CVE-2018-15685 INTHEWILD HIGH
Electron 1.7.15, 1.8.7, 2.0.7, 3.0.0-beta.6 - Remote Code Execution via WebPreferences Misconfiguration
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.
CVSS 8.1
CVE-2018-12533 INTHEWILD CRITICAL
JBoss RichFaces 3.1.0-3.3.4 - Unauthenticated Expression Language Injection via Paint2DResource ImageData Path
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
CVSS 9.8
CVE-2018-10583 INTHEWILD HIGH
LibreOffice 6.0.3 - Apache OpenOffice Writer 4.1.5 - Info Disclosure
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
CVSS 7.5
CVE-2017-15277 INTHEWILD MEDIUM
GraphicsMagick 1.3.26 - Exposure of Sensitive Information via Uninitialized GIF Palette
ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
CVSS 6.5
CVE-2017-15277 INTHEWILD MEDIUM
GraphicsMagick 1.3.26 - Exposure of Sensitive Information via Uninitialized GIF Palette
ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
CVSS 6.5
CVE-2017-12636 INTHEWILD HIGH
Apache CouchDB < 1.7.0 and 2.x < 2.1.1 - Authenticated OS Command Injection via Configuration Options
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
CVSS 7.2
CVE-2016-8776 INTHEWILD MEDIUM
Huawei P9 and P9 Lite - Factory Reset Protection Bypass
Huawei P9 phones with software EVA-AL10C00,EVA-CL10C00,EVA-DL10C00,EVA-TL10C00 and P9 Lite phones with software VNS-L21C185 allow attackers to bypass the factory reset protection (FRP) to enter some functional modules without authorization and perform operations to update the Google account.
CVSS 4.6
CVE-2016-10956 INTHEWILD HIGH
mail-masta 1.0 - Local File Inclusion in count_of_send.php and csvexport.php
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
CVSS 7.5
CVE-2003-0358 INTHEWILD
nethack <3.4.0 & falconseye <1.9.3 - Buffer Overflow
Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.
By Source
All 514 Writeup 61,945 Exploitdb 50,073 Nomisec 22,305 Github 3,486 Metasploit 3,294 Vulncheck_xdb 926 Inthewild 514 Gitlab 470 Gitee 415 Patchapalooza 312
By Language
text 31,383 python 6,500 ruby 5,984 c 3,619 perl 2,849 html 2,071 php 1,331 bash 462 java 370 c++ 255 javascript 228 shell 127 go 72 postscript 25 typescript 25