Writeup Exploits
63,078 exploits tracked across all sources.
Contiki-NG < 4.4 - Remote Code Execution via Malicious L2CAP Frames
A buffer overflow in os/net/mac/ble/ble-l2cap.c in the BLE stack in Contiki-NG 4.4 and earlier allows an attacker to execute arbitrary code via malicious L2CAP frames.
CVSS 8.8
Contiki-NG < 4.3 and Contiki < 3.0 - Denial of Service via 6LoWPAN Fragment Processing Integer Underflow
An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. A buffer overflow is present due to an integer underflow during 6LoWPAN fragment processing in the face of truncated fragments in os/net/ipv6/sicslowpan.c. This results in accesses of unmapped memory, crashing the application. An attacker can cause a denial-of-service via a crafted 6LoWPAN frame.
CVSS 7.5
Contiki-NG < 4.3 and Contiki < 3.0 - Denial of Service via 6LoWPAN Fragment Processing Integer Underflow
An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. A buffer overflow is present due to an integer underflow during 6LoWPAN fragment processing in the face of truncated fragments in os/net/ipv6/sicslowpan.c. This results in accesses of unmapped memory, crashing the application. An attacker can cause a denial-of-service via a crafted 6LoWPAN frame.
CVSS 7.5
Contiki-NG < 4.3 and Contiki < 3.0 - Out-of-bounds Write in 6LoWPAN Fragment Re-assembly
An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. An out of bounds write is present in the data section during 6LoWPAN fragment re-assembly in the face of forged fragment offsets in os/net/ipv6/sicslowpan.c.
CVSS 9.8
Contiki-NG < 4.3 and Contiki < 3.0 - Out-of-bounds Write in 6LoWPAN Fragment Re-assembly
An issue was discovered in Contiki-NG through 4.3 and Contiki through 3.0. An out of bounds write is present in the data section during 6LoWPAN fragment re-assembly in the face of forged fragment offsets in os/net/ipv6/sicslowpan.c.
CVSS 9.8
Contiki-NG < 4.2 - Stack-Based Buffer Overflow in JSON Parser
Contiki-NG before 4.2 has a stack-based buffer overflow in the push function in os/lib/json/jsonparse.c that allows an out-of-bounds write of an '{' or '[' character.
CVSS 7.1
contiki-ng < 4.2 - Remote Code Execution via MQTT PUBLISH Message Buffer Overflow
An issue was discovered in the MQTT server in Contiki-NG before 4.2. The function parse_publish_vhdr() that parses MQTT PUBLISH messages with a variable length header uses memcpy to input data into a fixed size buffer. The allocated buffer can fit only MQTT_MAX_TOPIC_LENGTH (default 64) bytes, and a length check is missing. This could lead to Remote Code Execution via a stack-smashing attack (overwriting the function return address). Contiki-NG does not separate the MQTT server from other servers and the OS modules, so access to all memory regions is possible.
CVSS 10.0
Contiki-NG < 4.1 - Out-of-bounds Read in AQL Parser
An issue was discovered in Contiki-NG through 4.1. There is a buffer over-read in lookup in os/storage/antelope/lvm.c while parsing AQL (lvm_register_variable, lvm_set_variable_value, create_intersection, create_union).
CVSS 7.0
contiki-ng < 4.1 - Stack-based Buffer Overflow in AQL Lexer String Parsing
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in next_string in os/storage/antelope/aql-lexer.c while parsing AQL (parsing next string).
CVSS 7.8
Contiki-NG < 4.1 - Buffer Overflow in AQL Parser
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow while parsing AQL in lvm_shift_for_operator in os/storage/antelope/lvm.c.
CVSS 6.1
contiki-ng < 4.1 - Buffer Overflow in lvm_set_type via AQL Parsing
An issue was discovered in Contiki-NG through 4.1. There is a buffer overflow in lvm_set_type in os/storage/antelope/lvm.c while parsing AQL (lvm_set_op, lvm_set_relation, lvm_set_operand).
CVSS 7.0
contiki-ng < 4.1 - Stack-based Buffer Overflow in AQL Parser
An issue was discovered in Contiki-NG through 4.1. There is a stack-based buffer overflow in parse_relations in os/storage/antelope/aql-parser.c while parsing AQL (storage of relations).
CVSS 7.8
contiki-ng 4 - Buffer Overflow in AQL Database Engine
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack).
CVSS 9.8
contiki-ng 4 - Buffer Overflow in AQL Database Engine
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack).
CVSS 9.8
Contiki 3.0 - Denial of Service via Telnet Option Negotiation Buffer Exhaustion
In Contiki 3.0, Telnet option negotiation is mishandled. During negotiation between a server and a client, the server may fail to give the WILL/WONT or DO/DONT response for DO and WILL commands because of improper handling of exception condition, which leads to property violations and denial of service. Specifically, a server sometimes sends no response, because a fixed buffer space is available for all responses and that space may have been exhausted.
CVSS 7.5
Contiki 3.0 - Denial of Service via Telnet Server Disconnection
In Contiki 3.0, a Telnet server that silently quits (before disconnection with clients) leads to connected clients entering an infinite loop and waiting forever, which may cause excessive CPU consumption.
CVSS 7.5
Contiki 3.0 - Denial of Service via Telnet Service ls Command
In Contiki 3.0, a buffer overflow in the Telnet service allows remote attackers to cause a denial of service because the ls command is mishandled when a directory has many files with long names.
CVSS 7.5
Contiki 3.0 - Denial of Service via Telnet Option Negotiation Loop
In Contiki 3.0, potential nonterminating acknowledgment loops exist in the Telnet service. When the negotiated options are already disabled, servers still respond to DONT and WONT requests with WONT or DONT commands, which may lead to infinite acknowledgment loops, denial of service, and excessive CPU consumption.
CVSS 7.5
Contiki < 3.0 - Denial of Service via ICMPv6 Error Message with Invalid Extension Header
An issue was discovered in Contiki through 3.0. When sending an ICMPv6 error message because of invalid extension header options in an incoming IPv6 packet, there is an attempt to remove the RPL extension headers. Because the packet length and the extension header length are unchecked (with respect to the available data) at this stage, and these variables are susceptible to integer underflow, it is possible to construct an invalid extension header that will cause memory corruption issues and lead to a Denial-of-Service condition. This is related to rpl-ext-header.c.
CVSS 7.5
uip < 1.0 - Out-of-bounds Read via DNS Packet Parsing
An issue was discovered in uIP through 1.0, as used in Contiki and Contiki-NG. Domain name parsing lacks bounds checks, allowing an attacker to corrupt memory with crafted DNS packets.
CVSS 7.5
Lua 5.4.0 - Integer Underflow via getlocal/setlocal Debug Interface
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVSS 5.3
RaspAP 2.5 - Authenticated OS Command Injection via Web Console
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).
CVSS 8.8
jackson-databind 2.0.0-2.9.10.5 - Deserialization of Untrusted Data via JndiConfiguration
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVSS 8.1
NexusPHP 1.5 - SQL Injection via takeconfirm.php classes Parameter
SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter.
CVSS 9.8
NexusPHP 1.5 - SQL Injection via modrules.php id Parameter
SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVSS 9.8
By Source