Exploit Database
145,709 exploits tracked across all sources.
ARM mbed TLS < 1.3.21 and 2.x < 2.1.9 - Authentication Bypass via X.509 Certificate Chain
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
CVSS 8.1
Libidn2 < 2.0.3 - Integer Overflow in _isBidi Function
Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS 9.8
Libidn2 < 2.0.4 - Integer Overflow in decode_digit Function
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
CVSS 9.8
Kaltura Server < mercury-13.1.0 - Remote Code Execution via Hardcoded Cookie Secret
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
CVSS 9.8
ImageMagick 7.0.7-0 Q16 - Denial of Service via Crafted PSD File
In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.
CVSS 6.5
Samsung SRN-1670D, SRN-1000, SRN-472S, SRN-470D Firmware - Unauthenticated Admin Password Hash Exposure
On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.
CVSS 8.1
Honeywell Enterprise DVR and MaxPro NVR Firmware - Session Fixation via Guest Account Session ID
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
CVSS 8.1
EE 4GEE WiFi MBB < EE60_00_05.00_31 - CSRF
EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related to goform/AddNewProfile, goform/setWanDisconnect, goform/setSMSAutoRedirectSetting, goform/setReset, and goform/uploadBackupSettings.
CVSS 8.8
Newsbeuter 0.3-2.9 - Code Injection
Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
CVSS 8.8
Trixbox - 2.8.0.4 OS Command Injection
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
CVSS 8.8
Trixbox 2.8.0 - Path Traversal
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
CVSS 6.5
GNOME Nautilus <3.23.90 - Info Disclosure
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.
CVSS 6.5
phpmyfaq <= 2.9.8 - Stored Cross-Site Scripting via FAQ Title Field
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
CVSS 6.1
ERS Data System <1.8.1.0 - Code Injection
ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.
CVSS 9.8
WordPress < 4.8.2 - SQL Injection via $wpdb->prepare Placeholder Mishandling
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS 9.8
Tine 2.0 < 2017.08.3 - Authenticated Stored Cross-Site Scripting via Filemanager Filename
Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
CVSS 5.4
Tine 2.0 < 2017.08.3 - Authenticated Stored Cross-Site Scripting via IMG Element in History
Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
CVSS 5.4
Tine 2.0 < 2017.08.3 - Authenticated Stored Cross-Site Scripting via CRM Leadname IMG Element
Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users.
CVSS 5.4
D-Link DIR-868L/880L/885L/890L/895L/895R Firmware - Remote Code Execution via CONTENT_TYPE Header Buffer Overflow
Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could allow an attacker to mount a ROP attack: if the HTTP header field CONTENT_TYPE starts with ''boundary=' followed by more than 256 characters, a buffer overflow would be triggered, potentially causing code execution.
CVSS 9.8
Linux Kernel < 4.13.4 - Unauthorized Sensitive Information Exposure via waitid System Call
The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.
CVSS 5.5
Zoom < 2.0.115900.1201 - Remote Code Execution via zoommtg:// Scheme Handler
Stack-based buffer overflow in the ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.
CVSS 8.8
Zoom < 2.0.115900.1201 - Remote Code Execution via zoommtg:// Scheme Handler
The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.
CVSS 8.8
Kanboard - Authenticated Authorization Bypass via Swimlane Form Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
CVSS 4.3
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Form Data Manipulation
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
CVSS 4.3
Kanboard < 1.0.47 - Authenticated Authorization Bypass via Category Addition
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
CVSS 4.3
By Source