Writeup Exploits
62,967 exploits tracked across all sources.
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVSS 8.6
SHIRASAGI <= 1.7.0 - Open Redirect
Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVSS 6.1
ntpsec < 1.1.3 - Authenticated Out-of-bounds Write via Malformed Config Request
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y.
CVSS 6.5
ntpsec < 1.1.3 - Stack-based Buffer Over-read in ntp_control.c
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
CVSS 9.1
ntpsec < 1.1.3 - Stack-based Buffer Over-read via process_control
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
CVSS 9.1
ntpsec < 1.1.3 - Authenticated Denial of Service via NULL Pointer Dereference in ntp_control.c
An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem.
CVSS 6.5
NumPy < 1.16.3 - Remote Code Execution via Unsafe Pickle Deserialization
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources.
CVSS 9.8
GO < 1.10.8 - Resource Allocation Without Limits
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVSS 8.2
TP-Link WDR Series < 3.0 - Authenticated Remote Code Execution via Weather Citycode Field
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVSS 8.8
Lua 5.3.5 - Use-After-Free in lua_upvaluejoin
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
CVSS 7.5
Lua 5.3.5 - Use-After-Free in lua_upvaluejoin
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
CVSS 7.5
BlogEngine.NET < 3.3.6.0 - Unauthenticated Path Traversal and Local File Inclusion via PostList.ascx.cs
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
CVSS 9.8
BlogEngine.NET 3.3 - XML External Entity (XXE)
BlogEngine.NET 3.3 allows XXE attacks via the POST body to metaweblog.axd.
CVSS 9.8
TP-Link TL-WR1043ND V2 - Auth Bypass
An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker can send a cookie in an HTTP authentication packet to the router management web interface, and fully control the router without knowledge of the credentials.
CVSS 9.8
gSOAP 2.8.x - Denial of Service via Incomplete HTTP Requests
Sricam IP CCTV cameras are vulnerable to denial of service via multiple incomplete HTTP requests because the web server (based on gSOAP 2.8.x) is configured for an iterative queueing approach (aka non-threaded operation) with a timeout of several seconds.
CVSS 7.5
Linux kernel <4.20.8 - Use After Free
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
CVSS 8.1
FileChucker 4.99e-free-e02 - Filter Bypass
An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi has a filter bypass that allows a malicious user to upload any type of file by using % characters within the extension, e.g., file.%ph%p becomes file.php.
CVSS 7.8
Linux kernel <4.20.6 - Memory Corruption
kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
CVSS 5.6
Subrion CMS 4.2.1 - Cross-Site Scripting via Panel Phrases VALUE Parameter
Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.
CVSS 5.4
Subrion CMS 4.2.1 - Cross-Site Request Forgery in Plugin Activation
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.
CVSS 8.8
Subrion CMS 4.2.1 - Privilege Escalation
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel - to gain escalated privileges in the context of the SQL query tool.
CVSS 3.8
Subrion CMS 4.2.1 - SQL Injection via ia.core.mysqli.php
Subrion CMS 4.2.1 is vulnerable to SQL Injection via ia.core.mysqli.php. NOTE: this is disputed by multiple third parties because it refers to an HTTP request to a PHP file that only contains a class, without any mechanism for accepting external input, and the reportedly vulnerable method is not present in the file.
CVSS 9.8
Subrion 4.2.1 - Remote Code Execution
Subrion 4.2.1 has a remote command execution vulnerability in the backend.
CVSS 8.8
Subrion CMS 4.2.1 - Stored Cross-Site Scripting via Tooltip Text Field
A cross-site scripting (XSS) vulnerability in the CMS Field Add page of Intelliants Subrion CMS v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tooltip text field.
CVSS 6.1
Subrion CMS 4.2.1 - Stored Cross-Site Scripting via Field Default Value
A cross-site scripting (XSS) vulnerability in the /panel/fields/add component of Intelliants Subrion CMS v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field default value text field.
CVSS 6.1
By Source