Writeup Exploits

62,906 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-10752 WRITEUP CRITICAL
Sequelize < 4.44.3 - SQL Injection via sequelize.json() Helper Function
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVSS 9.8
CVE-2019-10867 WRITEUP HIGH
pimcore < 5.7.1 - Authenticated Remote Code Execution via Unserialize in Bulk-Commit Endpoint
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
CVSS 8.8
CVE-2019-10887 WRITEUP MEDIUM
Salicru SLC-20-cube3(5) - Reflected Cross-Site Scripting via DataLog.csv log Parameter
A reflected HTML injection vulnerability on Salicru SLC-20-cube3(5) devices running firmware version cs121-SNMP v4.54.82.130611 allows remote attackers to inject arbitrary HTML elements via a /DataLog.csv?log= or /AlarmLog.csv?log= or /waitlog.cgi?name= or /chart.shtml?data= or /createlog.cgi?name= request.
CVSS 6.1
CVE-2019-10909 WRITEUP MEDIUM
Symfony 2.7.0-2.7.50, 2.8.0-2.8.49, 3.0.0-3.4.25, 4.0.0-4.1.11, 4.2.0-4.2.6 - XSS in Validation Messages
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
CVSS 5.4
CVE-2019-10999 WRITEUP HIGH
D-Link DCS Series Firmware - Authenticated Stack-based Buffer Overflow via WEPEncryption Parameter
The D-Link DCS series of Wi-Fi cameras contains a stack-based buffer overflow in alphapd, the camera's web server. The overflow allows a remotely authenticated attacker to execute arbitrary code by providing a long string in the WEPEncryption parameter when requesting wireless.htm. Vulnerable devices include DCS-5009L (1.08.11 and below), DCS-5010L (1.14.09 and below), DCS-5020L (1.15.12 and below), DCS-5025L (1.03.07 and below), DCS-5030L (1.04.10 and below), DCS-930L (2.16.01 and below), DCS-931L (1.14.11 and below), DCS-932L (2.17.01 and below), DCS-933L (1.14.11 and below), and DCS-934L (1.05.04 and below).
CVSS 8.8
CVE-2019-11061 WRITEUP CRITICAL
ASUS HG100 Firmware < 4.00.09 - Unauthenticated IoT Device Control via SmartHome DeviceControl Endpoint
A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CVSS 10.0
CVE-2019-11069 WRITEUP HIGH
Sequelize 5.0.0-5.2.9 - SQL Injection via Improper Input Validation
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.
CVSS 7.5
CVE-2019-11071 WRITEUP HIGH
SPIP 3.1.0-3.1.9 and 3.2.0-3.2.3 - Authenticated Remote Code Execution via var_memotri Mishandling
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
CVSS 8.8
CVE-2019-11080 WRITEUP HIGH
Sitecore Experience Platform < 9.1.1 - Authenticated Remote Code Execution via Deserialization
Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remote code execution via deserialization, aka TFS # 293863. An authenticated user with necessary permissions is able to remotely execute OS commands by sending a crafted serialized object.
CVSS 8.8
CVE-2019-11358 WRITEUP MEDIUM
jQuery < 3.4.0 - Prototype Pollution via jQuery.extend
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVSS 6.1
CVE-2019-11368 WRITEUP MEDIUM
AUO Solar Data Recorder <1.3.0 - XSS
Stored XSS was discovered in AUO Solar Data Recorder before 1.3.0 via the protect/config.htm addr parameter.
CVSS 5.4
CVE-2019-11369 WRITEUP HIGH
Carel pCOWeb <B1.2.4 - Info Disclosure
An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.
CVSS 8.8
CVE-2019-11370 WRITEUP MEDIUM
Carel pCOWeb < B1.2.4 - Stored Cross-Site Scripting in System Contact Field
Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field.
CVSS 5.4
CVE-2019-11408 WRITEUP MEDIUM
FusionPBX 4.4.3 - Unauthenticated Stored Cross-Site Scripting via Caller ID
XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.
CVSS 6.1
CVE-2019-11409 WRITEUP HIGH
FusionPBX 4.4.3 - Command Injection
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
CVSS 8.8
CVE-2019-11454 WRITEUP MEDIUM
Monit < 5.25.3 - Unauthenticated Stored Cross-Site Scripting via Authorization Header
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
CVSS 6.1
CVE-2019-11455 WRITEUP HIGH
Tildeslash Monit <5.25.3 - Buffer Overflow
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).
CVSS 8.1
CVE-2019-11455 WRITEUP HIGH
Tildeslash Monit <5.25.3 - Buffer Overflow
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).
CVSS 8.1
CVE-2019-11458 WRITEUP HIGH
CakePHP 3.7.6 - Arbitrary File Write via Unserialized Object in SmtpTransport
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
CVSS 7.5
CVE-2019-11477 WRITEUP HIGH
Linux Kernel 2.6.29-3.16.69 - Denial of Service via TCP SACK Integer Overflow
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
CVSS 7.5
CVE-2019-11487 WRITEUP HIGH
Linux kernel <5.1-rc5 - Use After Free
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.
CVSS 7.8
CVE-2019-11599 WRITEUP HIGH
Linux kernel <5.0.10 - Info Disclosure
The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVSS 7.0
CVE-2019-11637 WRITEUP MEDIUM
GNU recutils <1.8 - Memory Corruption
An issue was discovered in GNU recutils 1.8. There is a NULL pointer dereference in the function rec_rset_get_props at rec-rset.c in librec.a, leading to a crash.
CVSS 6.5
CVE-2019-11638 WRITEUP MEDIUM
GNU recutils <1.8 - Memory Corruption
An issue was discovered in GNU recutils 1.8. There is a NULL pointer dereference in the function rec_field_name_equal_p at rec-field-name.c in librec.a, leading to a crash.
CVSS 6.5
CVE-2019-11639 WRITEUP HIGH
GNU recutils <1.8 - Buffer Overflow
An issue was discovered in GNU recutils 1.8. There is a stack-based buffer overflow in the function rec_type_check_enum at rec-types.c in librec.a.
CVSS 8.8