Writeup Exploits

62,897 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-20250 WRITEUP HIGH
WinRAR <= 5.61 - Path Traversal and Remote Code Execution via ACE Filename Field
In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
CVSS 7.8
CVE-2018-20410 WRITEUP HIGH
WellinTech KingSCADA < 3.7.0.0.1 - Stack-Based Buffer Overflow via Crafted Packet to AlarmServer
WellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer overflow. The vulnerability is triggered when sending a specially crafted packet to the AlarmServer (AEserver.exe) service listening on TCP port 12401.
CVSS 7.5
CVE-2018-20418 WRITEUP MEDIUM
Craft CMS 3.0.25 - Stored Cross-Site Scripting via Entry Title Field
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVSS 4.8
CVE-2018-20418 WRITEUP MEDIUM
Craft CMS 3.0.25 - Stored Cross-Site Scripting via Entry Title Field
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVSS 4.8
CVE-2018-20433 WRITEUP CRITICAL
Mchange C3p0 < 0.9.5.3 - XXE
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
CVSS 9.8
CVE-2018-20434 WRITEUP CRITICAL
LibreNMS 1.46 - OS Command Injection via $_POST['community'] Parameter
LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.
CVSS 9.8
CVE-2018-20437 WRITEUP HIGH
mrbird febs-shiro < 2018.11.05 - Path Traversal via CommonController File Download
An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data
CVSS 7.5
CVE-2018-20556 WRITEUP HIGH
Booking Calendar 8.4.3 - SQL Injection via booking_id Parameter
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.
CVSS 8.8
CVE-2018-20592 WRITEUP MEDIUM
Mini-XML v2.12 - Use-After-Free in mxmlAdd Function
In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc.
CVSS 5.5
CVE-2018-20593 WRITEUP MEDIUM
Mini-XML v2.12 - Stack-based Buffer Overflow in scan_file Function
In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the scan_file function in mxmldoc.c.
CVSS 5.5
CVE-2018-20683 WRITEUP HIGH
gitolite < 3.6.11 - Command Injection via rsync Command Line
commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.
CVSS 8.1
CVE-2018-20721 WRITEUP CRITICAL
uriparser < 0.9.1 - Out-of-bounds Read in URI_FUNC
URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address containing an embedded IPv4 address, such as a "//[::44.1" address.
CVSS 9.8
CVE-2018-20723 WRITEUP MEDIUM
Cacti < 1.2.0 - Stored Cross-Site Scripting in Color Name Field
A cross-site scripting (XSS) vulnerability exists in color_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Name field for a Color.
CVSS 4.8
CVE-2018-20724 WRITEUP MEDIUM
Cacti < 1.2.0 - Stored Cross-Site Scripting in Website Hostname for Data Collectors
A cross-site scripting (XSS) vulnerability exists in pollers.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname for Data Collectors.
CVSS 4.8
CVE-2018-20725 WRITEUP MEDIUM
Cacti < 1.2.0 - Stored Cross-Site Scripting in Graph Vertical Label
A cross-site scripting (XSS) vulnerability exists in graph_templates.php in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Graph Vertical Label.
CVSS 4.8
CVE-2018-20726 WRITEUP MEDIUM
Cacti < 1.2.0 - Stored Cross-Site Scripting via Website Hostname Field
A cross-site scripting (XSS) vulnerability exists in host.php (via tree.php) in Cacti before 1.2.0 due to lack of escaping of unintended characters in the Website Hostname field for Devices.
CVSS 5.4
CVE-2018-20748 WRITEUP CRITICAL
LibVNC < 0.9.12 - Heap Out-of-Bounds Write in rfbproto.c
LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.
CVSS 9.8
CVE-2018-20781 WRITEUP HIGH
GNOME Keyring < 3.27.2 - Insufficiently Protected Credentials via Session-Child Process
In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.
CVSS 7.8
CVE-2018-20834 WRITEUP HIGH
node-tar < 2.2.2 and 3.0.0-4.4.2 - Arbitrary File Overwrite via Hardlink Extraction
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
CVSS 7.5
CVE-2018-20962 WRITEUP MEDIUM
Backpack\CRUD < 3.4.9 - Cross-Site Scripting via Select Field Type
The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows XSS via the select field type.
CVSS 6.1
CVE-2018-21029 WRITEUP CRITICAL
systemd 239-245 - Improper Certificate Validation in DNS Over TLS
systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent)
CVSS 9.8
CVE-2018-21036 WRITEUP HIGH
Sails.js < 1.0.0-46 - Denial of Service via Empty WebSocket Pathname
Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
CVSS 7.5
CVE-2018-25032 WRITEUP HIGH
zlib <1.2.12 - Memory Corruption
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVSS 7.5
CVE-2018-25075 WRITEUP MEDIUM
karsany OBridge <1.3 - SQL Injection
A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376.
CVSS 4.6
CVE-2018-25080 WRITEUP LOW
mobiledetect < 2.8.32 - Cross-Site Scripting via $_SERVER['PHP_SELF'] in session_example.php
A vulnerability, which was classified as problematic, has been found in MobileDetect 2.8.31. This issue affects the function initLayoutType of the file examples/session_example.php of the component Example. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.8.32 is able to address this issue. The identifier of the patch is 31818a441b095bdc4838602dbb17b8377d1e5cce. It is recommended to upgrade the affected component. The identifier VDB-220061 was assigned to this vulnerability.
CVSS 3.5