Writeup Exploits

62,992 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-12283 WRITEUP MEDIUM
Sourcegraph < 3.15.1 - Open Redirect via SafeRedirectURL Validation Bypass
Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.
CVSS 6.1
CVE-2020-12446 WRITEUP HIGH
G.SKILL Trident Z Lighting Control <1.00.08 - Privilege Escalation
The ene.sys driver in G.SKILL Trident Z Lighting Control through 1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users. This leads to privilege escalation to NT AUTHORITY\SYSTEM.
CVSS 7.8
CVE-2020-12461 WRITEUP HIGH
php-fusion 9.03.50 - SQL Injection via members.php sort_order Parameter
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.
CVSS 8.8
CVE-2020-12607 WRITEUP HIGH
fastecdsa < 2.1.2 - Improper Verification of Cryptographic Signature
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail.
CVSS 7.5
CVE-2020-12608 WRITEUP HIGH
SolarWinds MSP PME <1.1.15 - Code Execution
An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter.
CVSS 7.8
CVE-2020-12625 WRITEUP MEDIUM
Roundcube Webmail < 1.4.4 - Stored Cross-Site Scripting via HTML Message CDATA
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
CVSS 6.1
CVE-2020-12629 WRITEUP MEDIUM
osTicket < 1.14.2 - Stored Cross-Site Scripting via SLA Name
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
CVSS 5.4
CVE-2020-12640 WRITEUP CRITICAL
Roundcube Webmail <1.4.4 - Path Traversal
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
CVSS 9.8
CVE-2020-12641 WRITEUP CRITICAL
Roundcube Webmail < 1.4.4 - Remote Code Execution via Shell Metacharacters in Image Configuration
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVSS 9.8
CVE-2020-12706 WRITEUP MEDIUM
php-fusion 9.03.50 - Cross-Site Scripting via FAQ or Shoutbox Admin Panel go Parameter
Multiple Cross-site scripting vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to faq/faq_admin.php or shoutbox_panel/shoutbox_admin.php
CVSS 5.4
CVE-2020-12707 WRITEUP MEDIUM
LeptonCMS 4.5.0 - Stored Cross-Site Scripting via Event Handler Injection
An XSS vulnerability exists in modules/wysiwyg/save.php of LeptonCMS 4.5.0. This can be exploited because the only security measure used against XSS is the stripping of SCRIPT elements. A malicious actor can use HTML event handlers to run JavaScript instead of using SCRIPT elements.
CVSS 6.1
CVE-2020-12758 WRITEUP HIGH
HashiCorp Consul <1.6.6-1.7.4 - DoS
HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.
CVSS 7.5
CVE-2020-12790 WRITEUP HIGH
nystudio107 SEOmatic < 3.2.49 - Server-Side Template Injection via Twig Template
In the SEOmatic plugin before 3.2.49 for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.
CVSS 7.5
CVE-2020-12797 WRITEUP MEDIUM
HashiCorp Consul <1.6.6-1.7.4 - Info Disclosure
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
CVSS 5.3
CVE-2020-12821 WRITEUP CRITICAL
Gossipsub 1.0 - Invalid Message Spam Resistance Bypass
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVSS 9.8
CVE-2020-12856 WRITEUP CRITICAL
OpenTrace <v1.0.17 - Info Disclosure
OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.
CVSS 9.8
CVE-2020-13094 WRITEUP MEDIUM
Dolibarr < 11.0.4 - Cross-Site Scripting
Dolibarr before 11.0.4 allows XSS.
CVSS 5.4
CVE-2020-13170 WRITEUP HIGH
HashiCorp Consul <1.6.6-1.7.4 - Privilege Escalation
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
CVSS 7.5
CVE-2020-13228 WRITEUP MEDIUM
Sysax Multi Server 6.90 - Reflected Cross-Site Scripting via SCGI SID Parameter
An issue was discovered in Sysax Multi Server 6.90. There is reflected XSS via the /scgi sid parameter.
CVSS 6.1
CVE-2020-13250 WRITEUP HIGH
HashiCorp Consul <1.6.6, <1.7.4 - DoS
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
CVSS 7.5
CVE-2020-13277 WRITEUP MEDIUM
GitLab CE/EE <13.0.5 - Info Disclosure
An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5
CVSS 6.3
CVE-2020-27409 WRITEUP MEDIUM
OpenSIS < 7.5 - Cross-Site Scripting via SideForStudent.php modname Parameter
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVSS 6.1
CVE-2020-27408 WRITEUP HIGH
OpenSIS Community Edition < 7.6 - Unauthenticated Arbitrary Password Reset via ResetUserInfo.php
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVSS 7.5
CVE-2020-13381 WRITEUP CRITICAL
openSIS <= 7.4 - SQL Injection
openSIS through 7.4 allows SQL Injection.
CVSS 9.8
CVE-2020-13396 WRITEUP HIGH
FreeRDP < 2.1.1 - Out-of-bounds Read in NTLM Challenge Message
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c.
CVSS 7.1