Writeup Exploits
63,085 exploits tracked across all sources.
ServiceStack < 5.9.2 - JWT Signature Verification Bypass
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
CVSS 5.3
td-agent-builder < 2020-12-18 - Privilege Escalation via Writable bin Directory
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
CVSS 7.0
SourceCodester Water Billing System 1.0 - SQL Injection via Username and Password Parameters
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php.
CVSS 9.8
NPM Formio < 3.5.7 - Information Disclosure
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
Form.io 2.0.0 - Authenticated Server-Side Template Injection via Email Template Deletion
A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and only executable by admins.
CVSS 9.8
png-img < 3.1.0 - Heap-Based Buffer Overflow via Integer Overflow in PngImg::InitStorage_()
An integer overflow in the PngImg::InitStorage_() function of png-img before 3.1.0 leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.
CVSS 8.8
Joplin < 1.3.11 - Stored Cross-Site Scripting via LINK Element in Note
Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.
CVSS 6.1
Microweber < 1.1.20 - Authenticated Remote Code Execution via Backup Restore Path Traversal
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
CVSS 7.2
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
ChirpStack Network Server 3.9.0 - DoS via Malformed Uplink Frequency Attributes
An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: the vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network.
CVSS 6.5
Mitel ShoreTel 19.46.1802.0 - Unauthenticated Reflected Cross-Site Scripting via PATH_INFO to index.php
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
CVSS 6.1
TranzWare Payment Gateway 3.1.12.3.2 - Unauthenticated Reflected Cross-Site Scripting via Crafted URL
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415).
CVSS 6.1
TranzWare Payment Gateway 3.1.12.3.2 - Unauthenticated Reflected Cross-Site Scripting via Crafted URL
A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414).
CVSS 6.1
datatables.net < 1.10.23 - Prototype Pollution
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
CVSS 7.3
datatables.net < 1.10.23 - Prototype Pollution
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
CVSS 7.3
gsap <3.6.0 - Info Disclosure
This affects the package gsap before 3.6.0.
CVSS 7.5
jackson-dataformats-binary < 2.11.4 - Denial of Service via Unchecked Byte Buffer Allocation
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
CVSS 7.5
total.js < 3.4.7 - Prototype Pollution via Path Key Sanitization Bypass
This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.
CVSS 7.3
xmlhttprequest < 1.7.0 and xmlhttprequest-ssl < 1.6.2 - Remote Code Execution via Synchronous Request
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
CVSS 8.1
Mutt < 2.0.2 and NeoMutt < 2020-11-20 - Unencrypted Credential Exposure via Invalid IMAP Server Response
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
CVSS 5.3
Checkmk < 1.6.0p19 - Authenticated Stored Cross-Site Scripting via View Title
A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x prior to 1.6.0p19 allows an authenticated remote attacker to inject arbitrary JavaScript via a javascript: URL in a view title.
CVSS 5.4
Devid Espenschied PC Analyser <4.10 - Privilege Escalation
An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write to arbitrary Model Specific Registers (MSRs). This could lead to arbitrary Ring-0 code execution and escalation of privileges.
CVSS 8.8
Devid Espenschied PC Analyser <4.10 - Privilege Escalation
An issue was discovered in Devid Espenschied PC Analyser through 4.10. The PCADRVX64.SYS kernel driver exposes IOCTL functionality that allows low-privilege users to read and write arbitrary physical memory. This could lead to arbitrary Ring-0 code execution and escalation of privileges.
CVSS 8.8
BigBlueButton <2.2.29 - Info Disclosure
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
CVSS 5.3
By Source