Writeup Exploits

62,915 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-14537 WRITEUP CRITICAL
YOURLS < 1.7.3 - Authentication Bypass via Type Juggling
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
CVSS 9.8
CVE-2019-14537 WRITEUP CRITICAL
YOURLS < 1.7.3 - Authentication Bypass via Type Juggling
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
CVSS 9.8
CVE-2019-14537 WRITEUP CRITICAL
YOURLS < 1.7.3 - Authentication Bypass via Type Juggling
YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.
CVSS 9.8
CVE-2019-14540 WRITEUP CRITICAL
FasterXML jackson-databind <2.9.10 - Info Disclosure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVSS 9.8
CVE-2019-14652 WRITEUP MEDIUM
Amazon AWS JavaScript S3 Explorer <2019-08-02 - XSS
explorer.js in Amazon AWS JavaScript S3 Explorer (aka aws-js-s3-explorer) v2 alpha before 2019-08-02 allows XSS in certain circumstances.
CVSS 6.1
CVE-2019-14667 WRITEUP MEDIUM
Firefly III 4.7.17.4 - Stored Cross-Site Scripting in Transaction Description and Asset Account Name
Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action.
CVSS 6.1
CVE-2019-14748 WRITEUP MEDIUM
osTicket <1.10.7/1.12.x<1.12.1 - Unrestricted File Upload & Stored XSS via Ticket Form
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
CVSS 5.4
CVE-2019-14749 WRITEUP HIGH
osTicket <1.10.7, <1.12.1 - Code Injection
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
CVSS 8.8
CVE-2019-14750 WRITEUP MEDIUM
osTicket < 1.10.7 and 1.12.x < 1.12.1 - Stored Cross-Site Scripting in Installer Firstname/Lastname Fields
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
CVSS 6.1
CVE-2019-14751 WRITEUP HIGH
nltk < 3.4.5 - Arbitrary File Write via Directory Traversal in Package Extraction
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
CVSS 7.5
CVE-2019-14763 WRITEUP MEDIUM
Linux Kernel < 4.16.4 - Denial of Service via Double-Locking in USB DWC3 Gadget Driver
In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid.
CVSS 5.5
CVE-2019-14804 WRITEUP MEDIUM
UNA 10.0.0-RC1 - Stored Cross-Site Scripting via System Name Field in Email Template Editor
studio/polyglot.php?page=etemplates in UNA 10.0.0-RC1 allows XSS via the System Name field under Emails during template editing.
CVSS 4.8
CVE-2019-14857 WRITEUP MEDIUM
mod_auth_openidc < 2.4.0.1 - Open Redirect via Trailing Slash URL
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon.
CVSS 6.1
CVE-2019-15029 WRITEUP HIGH
FusionPBX 4.4.8 - Authenticated Remote Code Execution via service_edit.php Command Injection
FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.
CVSS 8.8
CVE-2019-15081 WRITEUP MEDIUM
OpenCart 3.0.0.0-3.0.3.1 - Authenticated Stored Cross-Site Scripting in Source/HTML Editor
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
CVSS 4.8
CVE-2019-15161 WRITEUP MEDIUM
libpcap < 1.9.1 - Buffer Overflow via rpcapd/daemon.c Length Mishandling
rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length values because of reuse of a variable. This may open up an attack vector involving extra data at the end of a request.
CVSS 5.3
CVE-2019-15162 WRITEUP MEDIUM
libpcap < 1.9.1 - Information Disclosure via Authentication Error Messages
rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provides details about why authentication failed, which might make it easier for attackers to enumerate valid usernames.
CVSS 5.3
CVE-2019-15163 WRITEUP HIGH
libpcap < 1.9.1 - Denial of Service via NULL Pointer Dereference in rpcapd
rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a denial of service (NULL pointer dereference and daemon crash) if a crypt() call fails.
CVSS 7.5
CVE-2019-15164 WRITEUP MEDIUM
libpcap < 1.9.1 - Server-Side Request Forgery via rpcapd URL Parameter
rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source.
CVSS 5.3
CVE-2019-15165 WRITEUP MEDIUM
libpcap < 1.9.1 - Denial of Service via Invalid PHB Header Length
sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.
CVSS 5.3
CVE-2019-15166 WRITEUP LOW
tcpdump < 4.9.3 - Buffer Overflow in lmp_print_data_link_subobjs
lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.
CVSS 1.6
CVE-2019-15226 WRITEUP HIGH
Envoy 1.10.0-1.11.1 - Denial of Service via O(n^2) Header Size Verification
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
CVSS 7.5
CVE-2019-15608 WRITEUP MEDIUM
yarn < 1.19.0 - TOCTOU Race Condition in Package Integrity Validation
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
CVSS 5.9
CVE-2019-15715 WRITEUP HIGH
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2019-16941 WRITEUP CRITICAL
NSA Ghidra <= 9.0.4 - Remote Code Execution via Bit Patterns Explorer XML File Processing
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
CVSS 9.8