Writeup Exploits

63,017 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-21224 WRITEUP CRITICAL
Inspur ClusterEngine V4.0 - Remote Code Execution via Malicious Login Packet
A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server
CVSS 9.8
CVE-2020-21316 WRITEUP MEDIUM
ZrLog 2.1.3 - Stored Cross-Site Scripting via Comment Nickname Parameter
A Cross-site scripting (XSS) vulnerability exists in the comment section in ZrLog 2.1.3, which allows remote attackers to inject arbitrary web script and stolen administrator cookies via the nickname parameter and gain access to the admin panel.
CVSS 6.1
CVE-2020-21378 WRITEUP CRITICAL
SeaCMS 10.1 - SQL Injection via admin_members_group.php id Parameter
SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.
CVSS 9.8
CVE-2020-21733 WRITEUP MEDIUM
Sagemcom F@ST3686 v1.0 HUN 3.97.0 - Cross-Site Scripting via Multiple Pages
Sagemcom F@ST3686 v1.0 HUN 3.97.0 has XSS via RgDiagnostics.asp, RgDdns.asp, RgFirewallEL.asp, RgVpnL2tpPptp.asp.
CVSS 6.1
CVE-2020-22083 WRITEUP CRITICAL
jsonpickle < 1.4.1 - Remote Code Execution via Untrusted Data Deserialization
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution, and must not be used with un-trusted data
CVSS 9.8
CVE-2020-22916 WRITEUP MEDIUM
XZ 5.2.5 - Denial of Service
An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.
CVSS 5.5
CVE-2020-23545 WRITEUP HIGH
IrfanView 4.54 - User-Mode Write Access Violation in XPM Image Format Parser
IrfanView 4.54 allows a user-mode write access violation starting at FORMATS!ReadXPM_W+0x0000000000000531.
CVSS 7.8
CVE-2020-23564 WRITEUP HIGH
SEMCMS 3.9 - Remote Code Execution via SEMCMS_Upfile.php
File Upload vulnerability in SEMCMS 3.9 allows remote attackers to run arbitrary code via SEMCMS_Upfile.php.
CVSS 7.2
CVE-2020-23620 WRITEUP CRITICAL
Orlansoft ERP - Remote Code Execution via Insecure Java Deserialization
The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.
CVSS 9.8
CVE-2020-23621 WRITEUP CRITICAL
SVI MS Management System - Code Injection
The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.
CVSS 9.8
CVE-2020-23829 WRITEUP HIGH
LibreHealth EHR <2.0.0 - Authenticated RCE
interface/new/new_comprehensive_save.php in LibreHealth EHR 2.0.0 suffers from an authenticated file upload vulnerability, allowing remote attackers to achieve remote code execution (RCE) on the hosting webserver by uploading a maliciously crafted image.
CVSS 8.8
CVE-2020-23834 WRITEUP HIGH
Real Time Logic BarracudaDrive <6.5 - Privilege Escalation
Insecure Service File Permissions in the bd service in Real Time Logic BarracudaDrive v6.5 allow local attackers to escalate privileges to admin by replacing the %SYSTEMDRIVE%\bd\bd.exe file. When the computer next starts, the new bd.exe will be run as LocalSystem.
CVSS 8.8
CVE-2020-23835 WRITEUP MEDIUM
SourceCodester Tailor Management System v1.0 - XSS
A Reflected Cross-Site Scripting (XSS) vulnerability in the index.php login-portal webpage of SourceCodester Tailor Management System v1.0 allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing.
CVSS 6.4
CVE-2020-23934 WRITEUP HIGH
RiteCMS 2.2.1 - Authenticated OS Command Execution via Filemanager PHP Upload
An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.
CVSS 8.8
CVE-2020-23935 WRITEUP CRITICAL
Kabir Alhasan Student Management System 1.0 - Auth Bypass
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
CVSS 9.8
CVE-2020-24033 WRITEUP HIGH
fs.com S3900 24T4S < 1.7.0 - Cross-Site Request Forgery
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.
CVSS 8.8
CVE-2020-24063 WRITEUP HIGH
WordPress Canto Plugin <1.3.0 - SSRF
The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF.
CVSS 7.2
CVE-2020-24148 WRITEUP CRITICAL
WordPress import-xml-feed <2.0.1 - SSRF
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action.
CVSS 9.1
CVE-2020-24199 WRITEUP CRITICAL
Project Worlds Car Rental Management System <1.0 - RCE
Arbitrary File Upload in the Vehicle Image Upload component in Project Worlds Car Rental Management System v1.0 allows attackers to conduct remote code execution.
CVSS 9.8
CVE-2020-26117 WRITEUP HIGH
TigerVNC < 1.11.0 - Improper Certificate Validation
In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
CVSS 8.1
CVE-2020-26164 WRITEUP MEDIUM
KDE Connect < 20.08.2 - Denial of Service via Crafted Network Packets
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
CVSS 5.5
CVE-2020-26230 WRITEUP HIGH
Radar COVID < 1.0.7 (Android), < 1.0.8 (iOS), < 1.1.0 (Android/iOS), Backend < 1.1.2 - User De-Anonymization
Radar COVID is the official COVID-19 exposure notification app for Spain. In affected versions of Radar COVID, identification and de-anonymization of COVID-19 positive users that upload Radar COVID TEKs to the Radar COVID server is possible. This vulnerability enables the identification and de-anonymization of COVID-19 positive users when using Radar COVID. The vulnerability is caused by the fact that Radar COVID connections to the server (uploading of TEKs to the backend) are only made by COVID-19 positives. Therefore, any on-path observer with the ability to monitor traffic between the app and the server can identify which users had a positive test. Such an adversary can be the mobile network operator (MNO) if the connection is done through a mobile network, the Internet Service Provider (ISP) if the connection is done through the Internet (e.g., a home network), a VPN provider used by the user, the local network operator in the case of enterprise networks, or any eavesdropper with access to the same network (WiFi or Ethernet) as the user as could be the case of public WiFi hotspots deployed at shopping centers, airports, hotels, and coffee shops. The attacker may also de-anonymize the user. For this additional stage to succeed, the adversary needs to correlate Radar COVID traffic to other identifiable information from the victim. This could be achieved by associating the connection to a contract with the name of the victim or by associating Radar COVID traffic to other user-generated flows containing identifiers in the clear (e.g., HTTP cookies or other mobile flows sending unique identifiers like the IMEI or the AAID without encryption). The former can be executed, for instance, by the Internet Service Provider or the MNO. The latter can be executed by any on-path adversary, such as the network provider or even the cloud provider that hosts more than one service accessed by the victim. The farther the adversary is either from the victim (the client) or the end-point (the server), the less likely it may be that the adversary has access to re-identification information. The vulnerability has been mitigated with the injection of dummy traffic from the application to the backend. Dummy traffic is generated by all users independently of whether they are COVID-19 positive or not. The issue was fixed in iOS in version 1.0.8 (uniform distribution), 1.1.0 (exponential distribution), Android in version 1.0.7 (uniform distribution), 1.1.0 (exponential distribution), Backend in version 1.1.2-RELEASE. For more information see the referenced GitHub Security Advisory.
CVSS 7.4
CVE-2020-26272 WRITEUP MEDIUM
Electron <9.4.0, 10.2.0, 11.1.0, 12.0.0-beta.9 - Info Disclosure
The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue.
CVSS 5.4
CVE-2020-26290 WRITEUP CRITICAL
Dex < 2.27.0 - Cryptographic Signature Verification Bypass via XML Encoding Issue
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
CVSS 9.3
CVE-2020-26948 WRITEUP CRITICAL
Emby SSRF HTTP Scanner
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
CVSS 9.8