Writeup Exploits

62,922 exploits tracked across all sources.

Sort: Activity Stars
CVE-2019-15164 WRITEUP MEDIUM
libpcap < 1.9.1 - Server-Side Request Forgery via rpcapd URL Parameter
rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source.
CVSS 5.3
CVE-2019-15165 WRITEUP MEDIUM
libpcap < 1.9.1 - Denial of Service via Invalid PHB Header Length
sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.
CVSS 5.3
CVE-2019-15166 WRITEUP LOW
tcpdump < 4.9.3 - Buffer Overflow in lmp_print_data_link_subobjs
lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.
CVSS 1.6
CVE-2019-15226 WRITEUP HIGH
Envoy 1.10.0-1.11.1 - Denial of Service via O(n^2) Header Size Verification
Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
CVSS 7.5
CVE-2019-15608 WRITEUP MEDIUM
yarn < 1.19.0 - TOCTOU Race Condition in Package Integrity Validation
The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
CVSS 5.9
CVE-2019-15715 WRITEUP HIGH
MantisBT < 1.3.20 - Authenticated Remote Code Execution via Command Injection
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
CVSS 7.2
CVE-2019-16941 WRITEUP CRITICAL
NSA Ghidra <= 9.0.4 - Remote Code Execution via Bit Patterns Explorer XML File Processing
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
CVSS 9.8
CVE-2019-17211 WRITEUP CRITICAL
Arm Mbed OS 5.14.0 - Integer Overflow in CoAP Message Buffer Calculation
An integer overflow was discovered in the CoAP library in Arm Mbed OS 5.14.0. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the required memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count can wrap around the maximum uint16_t value. As a result, insufficient buffer space is allocated for the corresponding CoAP message.
CVSS 9.8
CVE-2019-17212 WRITEUP CRITICAL
Arm Mbed OS 5.14.0 - Heap-based and Stack-based Buffer Overflow in CoAP Parser
Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5.14.0. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as by the 0xFF delimiter byte. Inside each while loop, the check of the value of *packet_data_pptr is not strictly enforced. More specifically, inside a loop, *packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_****() that do not check whether the pointer is within the bounds of the allocated buffer. All of these lead to heap-based or stack-based buffer overflows, depending on how the CoAP packet buffer is allocated.
CVSS 9.8
CVE-2019-17498 WRITEUP HIGH
libssh2 < 1.9.0 - Integer Overflow in SSH_MSG_DISCONNECT Bounds Check
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.
CVSS 8.1
CVE-2019-17513 WRITEUP HIGH
Ratpack < 1.7.5 - HTTP Response Splitting via Unvalidated HTTP Headers
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVSS 7.5
CVE-2019-18217 WRITEUP HIGH
ProFTPD < 1.3.6b and 1.3.7rc < 1.3.7rc2 - Unauthenticated Denial of Service via Long Command Handling
ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauthenticated denial-of-service due to incorrect handling of overly long commands because main.c in a child process enters an infinite loop.
CVSS 7.5
CVE-2019-18841 WRITEUP HIGH
Chartkick.js <3.1.4 - Info Disclosure
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.
CVSS 7.3
CVE-2019-19576 WRITEUP CRITICAL
verot.net class.upload <2.0.4 - Info Disclosure
class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.
CVSS 9.8
CVE-2019-19905 WRITEUP CRITICAL
NetHack 3.6.0-3.6.3 - Buffer Overflow via Long Configuration File Lines
NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.
CVSS 9.8
CVE-2019-19927 WRITEUP MEDIUM
Linux Kernel 5.0.0-rc7 - Out-of-bounds Read in ttm_put_pages
In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on kernel.ubuntu.com), mounting a crafted f2fs filesystem image and performing some operations can lead to slab-out-of-bounds read access in ttm_put_pages in drivers/gpu/drm/ttm/ttm_page_alloc.c. This is related to the vmwgfx or ttm module.
CVSS 6.0
CVE-2019-20107 WRITEUP HIGH
TestLink <= 1.9.19 - Authenticated SQL Injection via Multiple Parameters
Multiple SQL injection vulnerabilities in TestLink through 1.9.19 allows remote authenticated users to execute arbitrary SQL commands via the (1) tproject_id parameter to keywordsView.php; the (2) req_spec_id parameter to reqSpecCompareRevisions.php; the (3) requirement_id parameter to reqCompareVersions.php; the (4) build_id parameter to planUpdateTC.php; the (5) tplan_id parameter to newest_tcversions.php; the (6) tplan_id parameter to tcCreatedPerUserGUI.php; the (7) tcase_id parameter to tcAssign2Tplan.php; or the (8) testcase_id parameter to tcCompareVersions.php. Authentication is often easy to achieve: a guest account, that can execute this attack, can be created by anyone in the default configuration.
CVSS 8.8
CVE-2019-5736 WRITEUP HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVSS 8.6
CVE-2019-6009 WRITEUP MEDIUM
SHIRASAGI <= 1.7.0 - Open Redirect
Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVSS 6.1
CVE-2019-7676 WRITEUP HIGH
Enphase Envoy R3.*.* - Info Disclosure
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
CVSS 7.2
CVE-2019-8903 WRITEUP HIGH
Total.js prior to 3.2.4 Directory Traversal
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVSS 7.5
CVE-2019-8953 WRITEUP MEDIUM
netgate/haproxy < 0.59_16 - Cross-Site Scripting via Description or ACL Parameter
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
CVSS 6.1
CVE-2020-10220 WRITEUP CRITICAL
Rconfig 3.x Chained Remote Code Execution
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
CVSS 9.8
CVE-2020-11037 WRITEUP MEDIUM
Wagtail <2.7.3-2.8.2 - Info Disclosure
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.
CVSS 6.1
CVE-2020-11054 WRITEUP LOW
qutebrowser <1.11.1 - Info Disclosure
In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false, which is not recommended), this could still provide a false sense of security. This has been fixed in 1.11.1 and 1.12.0. All versions of qutebrowser are believed to be affected, though versions before v0.11.x couldn't be tested. Backported patches for older versions (greater than or equal to 1.4.0 and less than or equal to 1.10.2) are available, but no further releases are planned.
CVSS 3.5