Writeup Exploits

62,994 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-14074 WRITEUP HIGH
TRENDnet TEW-827DRU Firmware < 2.06b04 - Authenticated Stack-Based Buffer Overflow via kick_ban_wifi_mac_allow Parameter
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action kick_ban_wifi_mac_allow with a sufficiently long qcawifi.wifi0_vap0.maclist key.
CVSS 8.8
CVE-2020-14075 WRITEUP HIGH
TRENDnet TEW-827DRU Firmware < 2.06b04 - Authenticated OS Command Injection via apply.cgi
TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command injections in apply.cgi via the action pppoe_connect, ru_pppoe_connect, or dhcp_connect with the key wan_ifname (or wan0_dns), allowing an authenticated user to run arbitrary commands on the device.
CVSS 8.8
CVE-2020-14076 WRITEUP HIGH
TRENDnet TEW-827DRU < 2.06b04 - Authenticated Stack-Based Buffer Overflow via wan_type Parameter
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action st_dev_connect, st_dev_disconnect, or st_dev_rconnect with a sufficiently long wan_type key.
CVSS 8.8
CVE-2020-14077 WRITEUP HIGH
TRENDnet TEW-827DRU < 2.06b04 - Authenticated Stack-Based Buffer Overflow via WPS PIN Parameter
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action set_sta_enrollee_pin_wifi1 (or set_sta_enrollee_pin_wifi0) with a sufficiently long wps_sta_enrollee_pin key.
CVSS 8.8
CVE-2020-14078 WRITEUP HIGH
TRENDnet TEW-827DRU < 2.06b04 - Authenticated Stack-Based Buffer Overflow via wifi_captive_portal_login REMOTE_ADDR
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action wifi_captive_portal_login with a sufficiently long REMOTE_ADDR key.
CVSS 8.8
CVE-2020-14079 WRITEUP HIGH
TRENDnet TEW-827DRU < 2.06b04 Authenticated Stack Overflow via apply.cgi
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an authenticated user to execute arbitrary code by POSTing to apply.cgi via the action auto_up_fw (or auto_up_lp) with a sufficiently long update_file_name key.
CVSS 8.8
CVE-2020-14080 WRITEUP CRITICAL
TRENDnet TEW-827DRU Firmware < 2.06b04 - Unauthenticated Stack-Based Buffer Overflow via Ping Test
TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-based buffer overflow in the ssi binary. The overflow allows an unauthenticated user to execute arbitrary code by POSTing to apply_sec.cgi via the action ping_test with a sufficiently long ping_ipaddr key.
CVSS 9.8
CVE-2020-14144 WRITEUP HIGH
Gitea 1.1.0-1.12.5 - Authenticated Remote Code Execution via Git Hook Script Injection
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
CVSS 7.2
CVE-2020-14144 WRITEUP HIGH
Gitea 1.1.0-1.12.5 - Authenticated Remote Code Execution via Git Hook Script Injection
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
CVSS 7.2
CVE-2020-14144 WRITEUP HIGH
Gitea 1.1.0-1.12.5 - Authenticated Remote Code Execution via Git Hook Script Injection
The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.
CVSS 7.2
CVE-2020-14292 WRITEUP MEDIUM
COVIDSafe <1.0.21 - Info Disclosure
In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone.
CVSS 5.7
CVE-2020-14363 WRITEUP HIGH
libX11 < 1.6.12 - Integer Overflow to Double-Free
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
CVSS 7.8
CVE-2020-14943 WRITEUP MEDIUM
Global RADAR BSA Radar <1.6.7234.24750 - XSS
The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting (XSS) via Update User Profile.
CVSS 5.4
CVE-2020-14944 WRITEUP CRITICAL
Global RADAR BSA Radar <1.6.7234.24750 - Privilege Escalation
Global RADAR BSA Radar 1.6.7234.24750 and earlier lacks valid authorization controls in multiple functions. This can allow for manipulation and takeover of user accounts if successfully exploited. The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, and GetUser.
CVSS 9.8
CVE-2020-14945 WRITEUP HIGH
Global RADAR BSA Radar <1.6.7234.24750 - Privilege Escalation
A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.24750 and earlier that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e., the BankAdmin role) via modified SaveUser data.
CVSS 8.8
CVE-2020-14946 WRITEUP MEDIUM
Global RADAR BSA Radar <1.6.7234.24750 - Info Disclosure
downloadFile.ashx in the Administrator section of the Surveillance module in Global RADAR BSA Radar 1.6.7234.24750 and earlier allows users to download transaction files. When downloading the files, a user is able to view local files on the web server by manipulating the FileName and FilePath parameters in the URL, or while using a proxy. This vulnerability could be used to view local sensitive files or configuration files.
CVSS 4.3
CVE-2020-14947 WRITEUP HIGH
OCS Inventory NG 2.7 - Remote Code Execution via Shell Metacharacters in SNMP MIB File Handling
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
CVSS 8.8
CVE-2020-14947 WRITEUP HIGH
OCS Inventory NG 2.7 - Remote Code Execution via Shell Metacharacters in SNMP MIB File Handling
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
CVSS 8.8
CVE-2020-14954 WRITEUP MEDIUM
Mutt <1.14.4-NeoMutt <2020-06-19 - Response Injection
Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection."
CVSS 5.9
CVE-2020-14955 WRITEUP MEDIUM
Jiangmin Antivirus <16.0.13.129 - DoS
In Jiangmin Antivirus 16.0.13.129, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220440.
CVSS 5.5
CVE-2020-14960 WRITEUP HIGH
php-fusion 9.03.50 - SQL Injection via Comments Administration Endpoint ctype Parameter
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
CVSS 7.2
CVE-2020-15043 WRITEUP MEDIUM
iBall WRB303N - Cross-Site Request Forgery
iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling remote management, enabling DHCP, or modifying the subnet range for IP addresses.
CVSS 6.5
CVE-2020-15085 WRITEUP MEDIUM
Saleor Storefront <2.10.3 - Info Disclosure
In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser's local storage) after logging into Saleor Storefront.
CVSS 6.9
CVE-2020-15105 WRITEUP MEDIUM
Django Two-Factor Authentication <1.12 - Info Disclosure
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading.
CVSS 5.4
CVE-2020-15126 WRITEUP MEDIUM
Parser-Server <4.3.0 - Privilege Escalation
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
CVSS 6.5