Writeup Exploits

63,085 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-26278 WRITEUP MEDIUM
Weave Net <2.8.0 - Privilege Escalation
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is supplied with a manifest that runs pods on every node in a Kubernetes cluster, which are responsible for managing network connections for all other pods in the cluster. This requires a lot of power over the host, and the manifest sets `privileged: true`, which gives it that power. It also set `hostPID: true`, which gave it the ability to access all other processes on the host, and write anywhere in the root filesystem of the host. This setting was not necessary, and is being removed. You are only vulnerable if you have an additional vulnerability (e.g. a bug in Kubernetes) or misconfiguration that allows an attacker to run code inside the Weave Net pod, No such bug is known at the time of release, and there are no known instances of this being exploited. Weave Net 2.8.0 removes the hostPID setting and moves CNI plugin install to an init container. Users who do not update to 2.8.0 can edit the hostPID line in their existing DaemonSet manifest to say false instead of true, arrange some other way to install CNI plugins (e.g. Ansible) and remove those mounts from the DaemonSet manifest.
CVSS 5.8
CVE-2020-26280 WRITEUP HIGH
OpenSlides 3.2 - Stored Cross-Site Scripting in Rich Text Fields
OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input validation and escaping, it is vulnerable to persistant cross-site scripting (XSS). In the web applications users can enter rich text in various places, e.g. for personal notes or in motions. These fields can be used to store arbitrary JavaScript Code that will be executed when other users read the respective text. An attacker could utilize this vulnerability be used to manipulate votes of other users, hijack the moderators session or simply disturb the meeting. The vulnerability was introduced with 6eae497abeab234418dfbd9d299e831eff86ed45 on 16.04.2020, which is first included in the 3.2 release. It has been patched in version 3.3 ( in commit f3809fc8a97ee305d721662a75f788f9e9d21938, merged in master on 20.11.2020).
CVSS 8.9
CVE-2020-26290 WRITEUP CRITICAL
Dex < 2.27.0 - Cryptographic Signature Verification Bypass via XML Encoding Issue
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).
CVSS 9.3
CVE-2020-26294 WRITEUP HIGH
Vela compiler < 0.6.1 - Server Configuration Exposure via Sprig env Function
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
CVSS 7.4
CVE-2020-26297 WRITEUP HIGH
mdBook 0.1.4-0.4.5 - Stored Cross-Site Scripting via Search Query
mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.
CVSS 8.2
CVE-2020-26298 WRITEUP MEDIUM
Redcarpet < 3.5.1 - Cross-Site Scripting via Quote Processing
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the `:escape_html` option was being used. This is fixed in version 3.5.1 by the referenced commit.
CVSS 6.8
CVE-2020-26525 WRITEUP CRITICAL
Damstra Smart Asset <2020.7 - SQL Injection
Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.
CVSS 9.1
CVE-2020-26527 WRITEUP CRITICAL
Damstra Smart Asset 2020.7 - Origin Validation Error via API Version Endpoint
An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.
CVSS 9.8
CVE-2020-26609 WRITEUP MEDIUM
fastadmin V1.0.0.20200506_beta - XSS
fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) vulnerability which may allow an attacker to obtain administrator credentials to log in to the background.
CVSS 5.4
CVE-2020-26609 WRITEUP MEDIUM
fastadmin V1.0.0.20200506_beta - XSS
fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) vulnerability which may allow an attacker to obtain administrator credentials to log in to the background.
CVSS 5.4
CVE-2020-26728 WRITEUP CRITICAL
Tenda AC9 <3.0 V15.03.06.42_multi-<1.0 V15.03.05.19 - RCE
A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request.
CVSS 9.8
CVE-2020-26759 WRITEUP CRITICAL
clickhouse-driver <0.1.5 - Buffer Overflow
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.
CVSS 9.8
CVE-2020-26938 WRITEUP HIGH
oauth2-server < 3.1.1 - Open Redirect via Incorrect URI Pattern Validation
In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ("[a-zA-Z][a-zA-Z0-9+.-]+:") before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.
CVSS 7.2
CVE-2020-26948 WRITEUP CRITICAL
Emby SSRF HTTP Scanner
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
CVSS 9.8
CVE-2020-27153 WRITEUP HIGH
BlueZ < 5.55 - Double Free in GATT Service Discovery
In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.
CVSS 8.6
CVE-2020-27194 WRITEUP MEDIUM
Linux kernel <5.8.15 - Memory Corruption
An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.
CVSS 5.5
CVE-2020-27223 WRITEUP MEDIUM
Eclipse Jetty 9.4.6-9.4.36, 10.0.0, 11.0.0 - Denial of Service via Multiple Accept Headers with Quality Parameters
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
CVSS 5.2
CVE-2020-27347 WRITEUP HIGH
tmux 2.9-3.1b - Stack-based Buffer Overflow in input_csi_dispatch_sgr_colon
In tmux before version 3.1c the function input_csi_dispatch_sgr_colon() in file input.c contained a stack-based buffer-overflow that can be exploited by terminal output.
CVSS 8.8
CVE-2020-27358 WRITEUP MEDIUM
REDCap 8.11.6-9.x - Unauthenticated Information Disclosure via Messenger CSV Export
An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.
CVSS 4.3
CVE-2020-27387 WRITEUP HIGH
HorizontCMS <1.0.0-beta - Code Injection
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.
CVSS 8.8
CVE-2020-27515 WRITEUP MEDIUM
Savsoft Quiz v5.0 - Stored Cross-Site Scripting via Skype ID Field
A Cross Site Scripting (XSS) vulnerability in Savsoft Quiz v5.0 allows remote attackers to inject arbitrary web script or HTML via the Skype ID field.
CVSS 6.1
CVE-2020-27519 WRITEUP HIGH
Pritunl Client v1.2.2550.20 - Privilege Escalation
Pritunl Client v1.2.2550.20 contains a local privilege escalation vulnerability in the pritunl-service component. The attack vector is: malicious openvpn config. A local attacker could leverage the log and log-append along with log injection to create or append to privileged script files and execute code as root/SYSTEM.
CVSS 7.8
CVE-2020-27619 WRITEUP CRITICAL
Python 3.0.0-3.9.0 - Remote Code Execution via CJK Codec Test HTTP Content
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVSS 9.8
CVE-2020-27687 WRITEUP HIGH
ThingsBoard < 3.2 - Host Header Injection in Password-Reset Emails
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.
CVSS 8.8
CVE-2020-28032 WRITEUP CRITICAL
WordPress < 5.5.2 - Deserialization of Untrusted Data in FilteredIterator
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVSS 9.8