Writeup Exploits
59,833 exploits tracked across all sources.
Combodo Itop < 2.7.1 - Basic XSS
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
CVSS 6.8
Linuxmint Xreader - Path Traversal
Linux Mint Xreader EPUB File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of EPUB files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21897.
CVSS 7.8
Linuxmint Xreader - Remote Code Execution
Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.
CVSS 7.8
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Ietf HTTP < 1.57.0 - Denial of Service
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVSS 7.5
Webmproject Libvpx < 1.13.1 - Improper Exception Handling
VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.
CVSS 7.5
Gdidees Cms - XSS
GDidees CMS 3.0 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Title.
CVSS 5.4
Concretecms Concrete Cms - XSS
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
CVSS 4.8
Concretecms Concrete Cms < 9.2.2 - XSS
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
CVSS 5.4
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags.
CVSS 5.4
Concretecms Concrete Cms - Unrestricted File Upload
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
CVSS 5.4
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings).
CVSS 5.4
Concretecms Concrete Cms < 9.2.2 - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.
CVSS 5.4
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.
CVSS 4.8
Ritecms - XSS
A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.
CVSS 4.8
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
CVSS 5.4
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
CVSS 5.4
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
CVSS 5.4
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
CVSS 5.4
By Source