Writeup Exploits

62,897 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-19199 WRITEUP CRITICAL
uriparser < 0.9.0 - Integer Overflow in UriQuery.c
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication.
CVSS 9.8
CVE-2018-19200 WRITEUP HIGH
uriparser < 0.9.0 - NULL Pointer Dereference via uriResetUri Function
An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function.
CVSS 7.5
CVE-2018-19342 WRITEUP HIGH
Foxit Reader 9.3.0-9.3.0.10826 - DoS/Info Disclosure
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x000000000000347a" issue.
CVSS 7.1
CVE-2018-18933 WRITEUP CRITICAL
Foxit Reader 9.3.0.10826 - Out-of-bounds Read in U3D Plugin
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader!safe_vsnprintf+0x00000000002c4330" issue.
CVSS 9.1
CVE-2018-19348 WRITEUP HIGH
Foxit Reader 9.3.0.10826 - DoS/Info Disclosure
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Data from Faulting Address controls Branch Selection starting at U3DBrowser!PlugInMain+0x000000000012dff5" issue.
CVSS 7.1
CVE-2018-19360 WRITEUP CRITICAL
FasterXML jackson-databind <2.9.8 - Code Injection
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVSS 9.8
CVE-2018-19361 WRITEUP CRITICAL
FasterXML jackson-databind <2.9.8 - Deserialization
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVSS 9.8
CVE-2018-19362 WRITEUP CRITICAL
FasterXML jackson-databind <2.9.8 - Use After Free
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVSS 9.8
CVE-2018-19423 WRITEUP HIGH
Codiad 2.8.4 - Authenticated Remote Code Execution via File Upload
Codiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
CVSS 7.2
CVE-2018-19487 WRITEUP HIGH
WP-jobhunt < 2.4 - Unauthenticated User Information Enumeration via admin-ajax.php
The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users.
CVSS 7.5
CVE-2018-19518 WRITEUP HIGH
University of Washington IMAP Toolkit 2007f - Command Injection
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
CVSS 7.5
CVE-2018-19546 WRITEUP HIGH
JTBC(PHP) 3.0.1.7 - Cross-Site Request Forgery via console/xml/manage.php
JTBC(PHP) 3.0.1.7 has CSRF via the console/xml/manage.php?type=action&action=edit URI, as demonstrated by an XSS payload in the content parameter.
CVSS 8.8
CVE-2018-19547 WRITEUP MEDIUM
JTBC(PHP) 3.0.1.7 - Cross-Site Scripting via Manage.php Content Parameter
JTBC(PHP) 3.0.1.7 has XSS via the console/xml/manage.php?type=action&action=edit content parameter.
CVSS 6.1
CVE-2018-19592 WRITEUP HIGH
Corsair Link 4.9.7.35 - Privilege Escalation
The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.
CVSS 7.8
CVE-2018-19908 WRITEUP HIGH
MISP 2.4.90-2.4.98 - Authenticated OS Command Injection via STIX Import Filename
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
CVSS 8.8
CVE-2018-19911 WRITEUP HIGH
FreeSWITCH < 1.8.2 - Remote Code Execution via mod_xml_rpc API
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
CVSS 7.5
CVE-2018-19933 WRITEUP MEDIUM
Bolt CMS < 3.6.2 - Stored Cross-Site Scripting via Title Field Preview
Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.
CVSS 6.1
CVE-2018-19987 WRITEUP CRITICAL
D-Link DIR-818LW/822/860L/868L/880L/890L - OS Command Injection via HNAP1 SetAccessPointMode
D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the `telnetd` string.
CVSS 9.8
CVE-2018-19995 WRITEUP MEDIUM
Dolibarr < 8.0.4 - Authenticated Stored Cross-Site Scripting via User Address or Town Parameter
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
CVSS 5.4
CVE-2018-19998 WRITEUP HIGH
Dolibarr 8.0.2 - Authenticated SQL Injection via Employee Parameter
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
CVSS 8.8
CVE-2018-20140 WRITEUP MEDIUM
Zenphoto 1.4.14 - Cross-Site Scripting via URL Parameters
Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters.
CVSS 6.1
CVE-2018-20145 WRITEUP HIGH
Eclipse Mosquitto <1.5.5 - Auth Bypass
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
CVSS 7.5
CVE-2018-20164 WRITEUP MEDIUM
uaparser/user_agent_parser-core < 0.6.0 - Regular Expression Denial of Service via User-Agent Header
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long digit string. (The UAP-Core project contains the vulnerability, propagating to all implementations.)
CVSS 5.3
CVE-2018-20165 WRITEUP MEDIUM
OpenText Portal 7.4.4 - Cross-Site Scripting via vgnextoid Parameter
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVSS 6.1
CVE-2018-20226 WRITEUP HIGH
THEHIVE PROJECT Cortex <2.1.3 - Privilege Escalation
An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of overriding the Role.toString method.
CVSS 7.2