Writeup Exploits

63,017 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-21413 WRITEUP HIGH
isolated-vm <4.0.0 - Info Disclosure
isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a Reference instance to an attacker they would be able to use it to acquire a Reference to the nodejs context's Function object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. This is addressed in v4.0.0 through a series of related changes.
CVSS 8.0
CVE-2021-23362 WRITEUP MEDIUM
hosted-git-info < 2.8.9 - Regular Expression Denial of Service via shortcutMatch
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS 5.3
CVE-2021-23369 WRITEUP MEDIUM
handlebars < 4.7.7 - Remote Code Execution via Untrusted Template Compilation
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVSS 5.6
CVE-2021-23418 WRITEUP MEDIUM
glances < 3.2.1 - XML External Entity Injection via Fault XML Parser
The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
CVSS 6.3
CVE-2021-25830 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.2.0.236-5.6.4.13 - Remote Code Execution via DOCT to DOCX Conversion
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer.
CVSS 9.8
CVE-2021-25833 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.2.0.71-5.6.0.21 - Remote Code Execution via File Extension Handling Issue
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain remote code execution on DocumentServer.
CVSS 9.8
CVE-2021-25932 WRITEUP MEDIUM
OpenNMS Horizon <27.1.0-1 & Meridian <2020.1.6-1 - Stored XSS via userID Parameter
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
CVSS 5.4
CVE-2021-25933 WRITEUP MEDIUM
OpenNMS Horizon <27.1.1 & Meridian <2019.1.19 - Authenticated Stored XSS via groupName/groupComment
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
CVSS 4.8
CVE-2021-27902 WRITEUP MEDIUM
Craft CMS < 3.6.0 - Cross-Site Scripting via Front-End Form User Uploads
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
CVSS 6.1
CVE-2021-27903 WRITEUP CRITICAL
Craft CMS < 3.6.7 - Remote Code Execution via Administrative Session Hijack
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).
CVSS 9.8
CVE-2021-28280 WRITEUP MEDIUM
phpfusion 9.03.110 - Cross-Site Request Forgery and Cross-Site Scripting in search.php
CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML
CVSS 6.1
CVE-2021-29430 WRITEUP HIGH
Sydent < 2.3.0 - Unauthenticated Denial of Service via Unbounded HTTP Request/Response
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration requests from untrusted clients. This issue has been patched by releases 89071a1, 0523511, f56eee3. As a workaround request sizes can be limited in an HTTP reverse-proxy. There are no known workarounds for the problem with overlarge responses.
CVSS 7.5
CVE-2021-29431 WRITEUP HIGH
Sydent < 2.3.0 - Server-Side Request Forgery via HTTP GET Request
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.
CVSS 7.7
CVE-2021-29505 WRITEUP HIGH
XStream < 1.4.17 - Remote Code Execution via Untrusted Data Deserialization
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CVSS 7.5
CVE-2021-29544 WRITEUP LOW
TensorFlow 2.4.0-2.4.1 - Denial of Service via QuantizeAndDequantizeV4Grad CHECK-Fail
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a `CHECK`-fail in `tf.raw_ops.QuantizeAndDequantizeV4Grad`. This is because the implementation does not validate the rank of the `input_*` tensors. In turn, this results in the tensors being passes as they are to `QuantizeAndDequantizePerChannelGradientImpl`. However, the `vec<T>` method, requires the rank to 1 and triggers a `CHECK` failure otherwise. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2 as this is the only other affected version.
CVSS 2.5
CVE-2021-29608 WRITEUP MEDIUM
TensorFlow < 2.1.4 - Heap Buffer Overflow via RaggedTensorToTensor Input Validation
TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 5.3
CVE-2021-31542 WRITEUP HIGH
Django 2.2-2.2.20, 3.1-3.1.8, 3.2-3.2.0 - Path Traversal via Uploaded File Name
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVSS 7.5
CVE-2021-31590 WRITEUP HIGH
pwndoc < 0.4.0 - Incorrect Access Control via JSON Webtoken Handling
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
CVSS 8.8
CVE-2021-31800 WRITEUP CRITICAL
Impacket < 0.9.22 - Path Traversal and Arbitrary File Write via SMB Server
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS 9.8
CVE-2021-33356 WRITEUP HIGH
RaspAP <2.6.5 - Privilege Escalation
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
CVSS 8.8
CVE-2021-33910 WRITEUP MEDIUM
systemd < 246.15 - Denial of Service via Excessive Pathname Allocation
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
CVSS 5.5
CVE-2021-3509 WRITEUP MEDIUM
Red Hat Ceph Storage 4 - Info Disclosure
A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.
CVSS 6.1
CVE-2021-36980 WRITEUP MEDIUM
Openvswitch < 2.15.0 - Use After Free
Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.
CVSS 5.5
CVE-2021-3670 WRITEUP MEDIUM
Samba 4.1.0-4.15.9 - Uncontrolled Resource Consumption via MaxQueryDuration LDAP Bypass
MaxQueryDuration not honoured in Samba AD DC LDAP
CVSS 6.5
CVE-2021-4048 WRITEUP CRITICAL
LAPACK < 3.10.0 - Out-of-bounds Read in CLARRV, DLARRV, SLARRV, and ZLARRV Functions
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
CVSS 9.1