Writeup Exploits
62,992 exploits tracked across all sources.
Subrion 4.1-4.1.5 and < 4.2.0 - Cross-Site Request Forgery via Panel Database Query Parameter
There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.
CVSS 8.8
Subrion CMS < 4.1.4 - SQL Injection via POST Array
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.
CVSS 9.8
Subrion CMS < 4.1.4 - SQL Injection via Search GET Parameter
Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array.
CVSS 9.8
Subrion < 4.1.6 - Cross-Site Scripting via Blog Add Body Parameter
Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/, a different vulnerability than CVE-2017-6069.
CVSS 6.1
D-Link DIR-817LW, DIR-816L, DIR-816, DIR-850L, and DIR-868L Firmware - Unauthenticated Information Disclosure
D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10).
CVSS 7.5
Enphase Envoy R3.*.* - Info Disclosure
A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
CVSS 7.2
Enphase Envoy 3.0.0-3.8.9 - Cross-Site Scripting via ProfileName Parameter
XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
CVSS 6.1
Enphase Envoy R3.*.* - Path Traversal
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
CVSS 9.8
NukeViet < 4.3.04 - Deserialization of Untrusted Data via nvloginhash Cookie
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
CVSS 9.8
NukeViet < 4.3.04 - SQL Injection via HTTP Header Data
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).
CVSS 9.8
gpg-pgp < 1.0(9) - Improper Verification of Cryptographic Signature
The signature verification routine in the Airmail GPG-PGP Plugin, versions 1.0 (9) and earlier, does not verify the status of the signature at all, which allows remote attackers to spoof arbitrary email signatures by crafting a signed email with an invalid signature. Also, it does not verify the validity of the signing key, which allows remote attackers to spoof arbitrary email signatures by crafting a key with a fake user ID (email address) and injecting it into the user's keyring.
CVSS 5.9
Jinja2 - Server-Side Template Injection via from_string Function
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
CVSS 9.8
WebKitGTK < 2.23.90 and WebKitGTK+ < 2.22.6 - Buffer Overflow via Script Dialog Size Manipulation
The UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, which allows remote attackers to cause a denial of service (Buffer Overflow) or possibly have unspecified other impact, related to UIProcess/API/gtk/WebKitScriptDialogGtk.cpp, UIProcess/API/gtk/WebKitScriptDialogImpl.cpp, and UIProcess/API/gtk/WebKitWebViewGtk.cpp, as demonstrated by GNOME Web (aka Epiphany).
CVSS 9.8
Musicloud 1.6 - Unauthenticated Path Traversal and Arbitrary File Read via Wi-Fi Transfer Feature
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).
CVSS 8.1
ORY Hydra < v1.0.0-rc.3+oryOS.9 - Reflected Cross-Site Scripting via OAuth2 Error Hint Parameter
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
CVSS 6.1
Total.js prior to 3.2.4 Directory Traversal
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVSS 7.5
netgate/haproxy < 0.59_16 - Cross-Site Scripting via Description or ACL Parameter
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
CVSS 6.1
Kohana < 3.3.6 - SQL Injection via order_by Parameter
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
CVSS 9.8
Netis WF2411 and WF2880 Firmware - Unauthenticated Stack-Based Buffer Overflow via HTTP Authorization Header
On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP "Authorization: Basic" header that is mishandled by user_auth->user_ok in /bin/boa.
CVSS 9.8
CMS Made Simple 2.2.8 - Unauthenticated Blind SQL Injection via News Module m1_idlist Parameter
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
CVSS 8.1
D-Link DIR-878 1.12B01 - Unauthenticated Stack-Based Buffer Overflow via HNAP_AUTH HTTP Header
An issue was discovered on D-Link DIR-878 1.12B01 devices. Because strncpy is misused, there is a stack-based buffer overflow vulnerability that does not require authentication via the HNAP_AUTH HTTP header.
CVSS 9.8
Linux Kernel 4.19-4.19.24 - Out-of-bounds Write in SNMP NAT Module
In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.
CVSS 7.8
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
CVSS 5.5
SwiftNIO 1.0.0-1.3.9 - Denial of Service via HTTP/2 Window Size Manipulation
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVSS 7.5
ShoreTel Connect ONSITE <19.49.1500.0 - XSS
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter.
CVSS 6.1
By Source