Writeup Exploits
62,897 exploits tracked across all sources.
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
LayerBB < 1.1.4 - Cross-Site Request Forgery via Admin General Settings
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8
LayerBB 1.1.1 - Stored Cross-Site Scripting via Conversation Title
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).
CVSS 6.1
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
LayerBB < 1.1.3 - Cross-Site Request Forgery via Admin and Moderator Endpoints
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
LayerBB 1.1.1 and 1.1.3 - SQL Injection via search.php search_query Parameter
LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter.
CVSS 9.8
Linux Kernel < 4.18.12 - Unauthenticated Denial of Service and Control Flow Hijack via KVM_SET_ON_REG ioctl
arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.
CVSS 7.1
AlchemyCMS 4.1.0 - Stored Cross-Site Scripting via Admin Pictures Image Field
A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized."
CVSS 6.1
BigTree CMS 4.2.23 - Stored Cross-Site Scripting in Image Upload Area
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
CVSS 6.1
BigTree CMS < 4.2.24 - Session Fixation via admin.php
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
CVSS 5.4
kioware_server < 4.9.6 - Unauthenticated Privilege Escalation via Weak Directory Permissions
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
CVSS 7.8
Thunderbird < 60.5.1 - Improper Verification of Cryptographic Signature
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1.
CVSS 5.3
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
LibTIFF 3.9.3-4.0.9 - Out-of-bounds Write in JBIG Decoder
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
CVSS 8.8
Sandboxie 5.26 - Sandbox Escape via Python File Import
Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality
CVSS 10.0
GNU gettext 0.19.8 - Use-After-Free in po_gram_parse
An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
CVSS 9.8
Cesanta Mongoose 6.13 - Heap-Based Buffer Over-Read in MQTT Packet Parsing
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in a parse_mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.
CVSS 9.1
Netdata 1.10.0 - JSON Injection via tqx Parameter
An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
CVSS 6.5
Netdata 1.10.0 - HTTP Header Injection
An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
CVSS 6.1
Jinjava < 2.4.6 - Remote Code Execution via getClass Method
Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java.
CVSS 5.3
Linux Nested User Namespace idmap Limit Local Privilege Escalation
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
CVSS 7.0
keepalived 2.0.8 - Exposure of Sensitive Information via Temporary File Permissions
keepalived 2.0.8 used mode 0666 when creating new temporary files upon a call to PrintData or PrintStats, potentially leaking sensitive information.
CVSS 7.5
Simditor < 2.3.21 - DOM Cross-Site Scripting via Malformed SVG Element
Simditor through 2.3.21 allows DOM XSS via an onload attribute within a malformed SVG element.
CVSS 6.1
Pronestor Health Monitoring < 8.1.12.0 - Privilege Escalation via Trojan Horse Executable
The Pronestor PNHM (aka Health Monitoring or HealthMonitor) add-in before 8.1.13.0 for Outlook has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file.
CVSS 7.3
uriparser < 0.9.0 - Out-of-bounds Write via Query Composition Function
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts.
CVSS 9.8
By Source