Writeup Exploits
62,992 exploits tracked across all sources.
ShoreTel Connect ONSITE <19.45.1602.0 - XSS
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVSS 6.1
ShoreTel Connect ONSITE <18.82.2000.0 - XSS
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVSS 6.1
Darktrace Enterprise Immune System <3.1 - CSRF
Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint.
CVSS 6.5
DirectAdmin 1.55 - Cross-Site Request Forgery via CMD_ACCOUNT_ADMIN URI
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.
CVSS 8.8
Libav < 12.3 - Stack-based Buffer Overflow in Subtitle Decoder
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf. NOTE: Third parties dispute that this is a vulnerability because “no evidence of a vulnerability is provided” and only “a generic warning from a static code analysis” is provided
CVSS 8.8
Shanda MapleStory Online V160 - Privilege Escalation
In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating the IOCtl 0x8000c01c input value, leading to an integer signedness error and a heap-based buffer underflow.
CVSS 7.8
CloudCTI HIP Integrator Recognition Configuration Tool - Privilege Escalation
CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.
CVSS 7.8
FTPGetter Standard <5.97.0.177 - RCE
FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted responses. Long responses can also crash the FTP client with memory corruption.
CVSS 9.8
WordPress < 5.1.1 - Unauthenticated Remote Code Execution via CSRF and XSS in Comment Handling
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
CVSS 8.8
DiffPlug Spotless <1.20.0/<3.20.0 - Info Disclosure
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.
CVSS 7.5
WPGraphQL 0.2.3 - Unauthenticated Comment Posting via createComment Mutation
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
CVSS 5.3
LimeSurvey Zip Path Traversals
The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.
CVSS 9.8
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via wps_sta_enrollee_pin Parameter
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
CVSS 8.8
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via dns_query_name Parameter
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the dns_query_name parameter in a dns_query.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
CVSS 8.8
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via Date Parameter
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
CVSS 8.8
Sentrifugo 3.5 - Authenticated Unrestricted File Upload via AssetsController
In Sentrifugo 3.5, the AssetsController::uploadsaveAction function allows an authenticated attacker to upload any file without extension filtering.
CVSS 8.8
Sapplica Sentrifugo 3.2 - Blind SQL Injection via HolidaydatesController addAction Function
A Blind SQL Injection issue was discovered in Sapplica Sentrifugo 3.2 via the index.php/holidaygroups/add id parameter because of the HolidaydatesController.php addAction function.
CVSS 6.5
Rconfig 3.x Chained Remote Code Execution
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
CVSS 9.8
rconfig < 3.9.4 - Authenticated Remote Code Execution via fileName POST Parameter
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
CVSS 8.8
Froxlor < 0.10.14 - Remote Code Execution via Database Configuration Options
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
CVSS 8.8
Pillow < 7.1.0 - Out-of-bounds Read in PCX Image Decoder
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVSS 5.5
Pillow < 7.1.0 - Buffer Overflow in libImaging/TiffDecode.c
In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.
CVSS 7.8
Open Source Social Network < 5.3 - Arbitrary File Read via Weak PRNG in SiteKey
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.
CVSS 5.9
antiX and MX Linux - Privilege Escalation
antiX and MX Linux allow local users to achieve root access via "persist-config --command /bin/sh" because of the Sudo configuration.
CVSS 7.8
Entrust Entelligence Security Provider <10.0.60 - Info Disclosure
Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows mishandles errors during SSL Certificate Validation, leading to situations where (for example) a user continues to interact with a web site that has an invalid certificate chain.
CVSS 4.3
By Source