Exploit Database

145,683 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-1000249 WRITEUP MEDIUM
file - Stack-Based Buffer Overflow via Crafted ELF .notes Section
An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
CVSS 5.5
CVE-2017-1000251 WRITEUP HIGH
Linux Kernel 2.6.32-4.13.1 - Remote Code Execution via Bluetooth L2CAP Configuration Response
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
CVSS 8.0
CVE-2017-1000252 WRITEUP MEDIUM
Linux Kernel < 4.13.3 - Denial of Service via Out-of-Bounds Guest IRQ Value
The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c.
CVSS 5.5
CVE-2017-1000380 WRITEUP MEDIUM
Linux kernel <4.11.5 - Info Disclosure
sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
CVSS 5.5
CVE-2017-1000475 WRITEUP HIGH
FreeSSHd <1.3.1 - Privilege Escalation
FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.
CVSS 7.8
CVE-2017-1000479 WRITEUP HIGH
pfSense < 2.4.2 - Clickjacking via CSRF Error Page
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
CVSS 8.8
CVE-2017-1000487 WRITEUP CRITICAL
Plexus-utils <3.0.16 - Command Injection
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS 9.8
CVE-2017-1000501 WRITEUP CRITICAL
awstats < 7.6.0 - Unauthenticated Path Traversal and Remote Code Execution via Config and Migrate Parameters
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
CVSS 9.8
CVE-2017-1001000 WRITEUP HIGH
WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
CVSS 7.5
CVE-2017-1001000 WRITEUP HIGH
WordPress 4.7.x < 4.7.2 - Unauthenticated Arbitrary Page Modification via REST API Endpoint
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
CVSS 7.5
CVE-2017-1001002 WRITEUP CRITICAL
math.js < 3.17.0 - Remote Code Execution via Typed Function Name Injection
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVSS 9.8
CVE-2017-1001003 WRITEUP CRITICAL
mathjs < 3.17.0 - Prototype Pollution via Unicode Character Bypass
math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.
CVSS 9.8
CVE-2017-1001004 WRITEUP HIGH
typed-function < 0.10.6 - Remote Code Execution via Typed Function Name
typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVSS 8.8
CVE-2017-1002101 WRITEUP HIGH
Kubernetes <1.7.14, <1.8.9, <1.9.4 - Info Disclosure
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
CVSS 8.8
CVE-2017-1002150 WRITEUP MEDIUM
python-fedora <0.8.0 - Open Redirect
python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection
CVSS 6.1
CVE-2017-10661 WRITEUP HIGH
Linux Kernel < 4.10.15 - Use-After-Free via Timerfd Race Condition
Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.
CVSS 7.0
CVE-2017-10682 WRITEUP CRITICAL
Piwigo < 2.9.1 - SQL Injection via cat_false or cat_true Parameter
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
CVSS 9.8
CVE-2017-11142 WRITEUP HIGH
PHP < 5.6.31, 7.x < 7.0.17, 7.1.x < 7.1.3 - Denial of Service via Long Form Variables
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVSS 7.5
CVE-2017-11176 WRITEUP HIGH
Linux Kernel <= 4.11.9 - Use-After-Free in mq_notify Netlink Socket Handling
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
CVSS 7.8
CVE-2017-11449 WRITEUP HIGH
ImageMagick < 6.9.9-0 - Denial of Service via Unvalidated Blob Size in MPC Coder
coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable streams and thus cannot validate blob sizes, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an image received from stdin.
CVSS 8.8
CVE-2017-11523 WRITEUP MEDIUM
ImageMagick < 6.9.9-0 and 7.x through 7.0.6-1 - Denial of Service via Crafted TXT File
The ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop) via a crafted file, because the end-of-file condition is not considered.
CVSS 6.5
CVE-2017-11664 WRITEUP MEDIUM
WildMIDI 0.4.2 - Denial of Service via Crafted MIDI File
The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service (invalid memory read and application crash) via a crafted mid file.
CVSS 6.5
CVE-2017-11882 WRITEUP HIGH
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
CVE-2017-11882 WRITEUP HIGH
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVSS 7.8
CVE-2017-12061 WRITEUP MEDIUM
MantisBT < 1.3.12 and 2.x < 2.5.2 - Cross-Site Scripting via Installation Script Variables
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control in the MantisBT installation script are not properly sanitized before being output, allowing remote attackers to inject arbitrary JavaScript code, as demonstrated by the $f_database, $f_db_username, and $f_admin_username variables. This is mitigated by the fact that the admin/ folder should be deleted after installation, and also prevented by CSP.
CVSS 6.1