Writeup Exploits

62,897 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-16531 WRITEUP HIGH
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
CVE-2019-16531 WRITEUP HIGH
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
CVE-2018-17997 WRITEUP MEDIUM
LayerBB 1.1.1 - Stored Cross-Site Scripting via Conversation Title
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).
CVSS 6.1
CVE-2018-17996 WRITEUP MEDIUM
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
CVE-2018-17996 WRITEUP MEDIUM
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
CVE-2018-17988 WRITEUP CRITICAL
LayerBB 1.1.1 and 1.1.3 - SQL Injection via search.php search_query Parameter
LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter.
CVSS 9.8
CVE-2018-18021 WRITEUP HIGH
Linux Kernel < 4.18.12 - Unauthenticated Denial of Service and Control Flow Hijack via KVM_SET_ON_REG ioctl
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
CVSS 7.1
CVE-2018-18307 WRITEUP MEDIUM
AlchemyCMS 4.1.0 - Stored Cross-Site Scripting via Admin Pictures Image Field
A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."
CVSS 6.1
CVE-2018-18308 WRITEUP MEDIUM
BigTree CMS 4.2.23 - Stored Cross-Site Scripting in Image Upload Area
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
CVSS 6.1
CVE-2018-18380 WRITEUP MEDIUM
BigTree CMS < 4.2.24 - Session Fixation via admin.php
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
CVSS 5.4
CVE-2018-18435 WRITEUP HIGH
kioware_server < 4.9.6 - Unauthenticated Privilege Escalation via Weak Directory Permissions
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
CVSS 7.8
CVE-2018-18509 WRITEUP MEDIUM
Thunderbird < 60.5.1 - Improper Verification of Cryptographic Signature
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.
CVSS 5.3
CVE-2018-18557 WRITEUP HIGH
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
CVE-2018-18557 WRITEUP HIGH
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
CVE-2018-18748 WRITEUP CRITICAL
Sandboxie 5.26 - Sandbox Escape via Python File Import
Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality
CVSS 10.0
CVE-2018-18751 WRITEUP CRITICAL
GNU gettext 0.19.8 - Use-After-Free in po_gram_parse
An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
CVSS 9.8
CVE-2018-18764 WRITEUP CRITICAL
Cesanta Mongoose 6.13 - Heap-Based Buffer Over-Read in MQTT Packet Parsing
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in a parse_mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
CVSS 9.1
CVE-2018-18836 WRITEUP MEDIUM
Netdata 1.10.0 - JSON Injection via tqx Parameter
An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
CVSS 6.5
CVE-2018-18837 WRITEUP MEDIUM
Netdata 1.10.0 - HTTP Header Injection
An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
CVSS 6.1
CVE-2018-18893 WRITEUP MEDIUM
Jinjava < 2.4.6 - Remote Code Execution via getClass Method
Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java.
CVSS 5.3
CVE-2018-18955 WRITEUP HIGH
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
CVE-2018-19045 WRITEUP HIGH
keepalived 2.0.8 - Exposure of Sensitive Information via Temporary File Permissions
keepalived 2.0.8 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information.
CVSS 7.5
CVE-2018-19048 WRITEUP MEDIUM
Simditor < 2.3.21 - DOM Cross-Site Scripting via Malformed SVG Element
Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element.
CVSS 6.1
CVE-2018-19113 WRITEUP HIGH
Pronestor Health Monitoring < 8.1.12.0 - Privilege Escalation via Trojan Horse Executable
The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
CVSS 7.3
CVE-2018-19198 WRITEUP CRITICAL
uriparser < 0.9.0 - Out-of-bounds Write via Query Composition Function
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts.
CVSS 9.8