Writeup Exploits

62,897 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-5815 WRITEUP MEDIUM
LibRaw < 0.18.12 - Integer Overflow in parse_qt() Function
An integer overflow error within the "parse_qt()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file.
CVSS 6.5
CVE-2018-5816 WRITEUP MEDIUM
LibRaw < 0.18.12 - Integer Overflow via NOKIARAW File in identify() Function
An integer overflow error within the "identify()" function (internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can be exploited to trigger a division by zero via specially crafted NOKIARAW file (Note: This vulnerability is caused due to an incomplete fix of CVE-2018-5804).
CVSS 6.5
CVE-2018-5873 WRITEUP HIGH
Linux kernel <4.11 - Use After Free
An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.
CVSS 7.0
CVE-2018-5999 WRITEUP CRITICAL
AsusWRT <3.0.0.4.384_10007 - Info Disclosure
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
CVSS 9.8
CVE-2018-6000 WRITEUP CRITICAL
AsusWRT <3.0.0.4.384_10007 - Privilege Escalation
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
CVSS 9.8
CVE-2018-6383 WRITEUP HIGH
Monstra CMS < 3.0.4 - Authenticated Remote Code Execution via .pht or .phar File Upload
Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048.
CVSS 8.8
CVE-2018-6389 WRITEUP HIGH
WordPress < 4.9.2 - Unauthenticated Denial of Service via Repeated JavaScript File Loading
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
CVSS 7.5
CVE-2018-6389 WRITEUP HIGH
WordPress < 4.9.2 - Unauthenticated Denial of Service via Repeated JavaScript File Loading
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
CVSS 7.5
CVE-2018-6407 WRITEUP HIGH
Conceptronic CIPCAMPTIWL V3 0.61.30.21 - Unauthenticated Denial of Service via Large POST Request to devices.cgi
An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to /hy-cgi/devices.cgi?cmd=searchlandevice. The crash completely freezes the device.
CVSS 7.5
CVE-2018-6481 WRITEUP CRITICAL
Flexense Disksavvy - Memory Corruption
A buffer overflow vulnerability in the control protocol of Disk Savvy Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9124.
CVSS 9.8
CVE-2018-6546 WRITEUP CRITICAL
plays.tv < 1.27.7.0 - Unauthenticated Remote Code Execution via execute_installer Parameter
plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.
CVSS 9.8
CVE-2018-6558 WRITEUP MEDIUM
fscrypt <0.2.4 - Privilege Escalation
The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam).
CVSS 6.5
CVE-2018-6574 WRITEUP HIGH
GO < 1.8.6 - Code Injection
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVSS 7.8
CVE-2018-0833 WRITEUP MEDIUM
Windows 8.1, RT 8.1, and Server 2012 R2 - Denial of Service via SMBv2/SMBv3 Client Null Pointer Dereference
The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".
CVSS 5.3
CVE-2018-6593 WRITEUP HIGH
MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation via IOCTL 0x8000204C
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS 7.8
CVE-2018-6596 WRITEUP CRITICAL
django-anymail < 1.2.1 - Timing Attack on WEBHOOK_AUTHORIZATION Secret
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.
CVSS 9.1
CVE-2018-6606 WRITEUP HIGH
MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation via IOCTL 0x80002010 and 0x8000204C
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS 7.8
CVE-2018-6651 WRITEUP HIGH
uncurl < 0.07 - Cross-Site Request Forgery via Origin Header Substring Match
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
CVSS 8.8
CVE-2018-6871 WRITEUP CRITICAL
LibreOffice <5.4.5 & 6.x <6.0.1 - Info Disclosure
LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.
CVSS 9.8
CVE-2018-6890 WRITEUP MEDIUM
Wolf CMS 0.8.3.1 - Stored Cross-Site Scripting via Page Editing Feature
Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the page editing feature, as demonstrated by /?/admin/page/edit/3.
CVSS 4.8
CVE-2018-7171 WRITEUP HIGH
Twonky Server 7.0.11-8.5 - Directory Traversal via contentbase Parameter
Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of arbitrary directories via a .. (dot dot) in the contentbase parameter to rpc/set_all.
CVSS 7.5
CVE-2018-7191 WRITEUP MEDIUM
Linux Kernel < 4.13.14 - Denial of Service via TUNSETIFF ioctl with Invalid Device Name
In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.
CVSS 5.5
CVE-2018-7249 WRITEUP HIGH
Microsoft Windows Vista, 7, 8, 8.1 - Use-After-Free via secdrv.sys IOCTL Race Condition
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. Two carefully timed calls to IOCTL 0xCA002813 can cause a race condition that leads to a use-after-free. When exploited, an unprivileged attacker can run arbitrary code in the kernel.
CVSS 7.0
CVE-2018-7250 WRITEUP MEDIUM
Windows Vista, 7, 8, and 8.1 - Uninitialized Kernel Pool Memory Exposure via secdrv.sys IOCTL 0xCA002813
An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. An uninitialized kernel pool allocation in IOCTL 0xCA002813 allows a local unprivileged attacker to leak 16 bits of uninitialized kernel PagedPool data.
CVSS 5.5
CVE-2018-7254 WRITEUP HIGH
WavPack 5.1.0 - Denial of Service via Malicious CAF File
The ParseCaffHeaderConfig function of the cli/caff.c file of WavPack 5.1.0 allows a remote attacker to cause a denial-of-service (global buffer over-read), or possibly trigger a buffer overflow or incorrect memory allocation, via a maliciously crafted CAF file.
CVSS 7.8