Exploit Database

145,709 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-5487 WRITEUP MEDIUM
WordPress < 4.7.1 - Unauthorized User Information Exposure via REST API
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
CVSS 5.3
CVE-2017-5507 WRITEUP HIGH
ImageMagick - Memory Leak in MPC Coder
Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a denial of service (memory consumption) via vectors involving a pixel cache.
CVSS 7.5
CVE-2017-5508 WRITEUP MEDIUM
ImageMagick - Heap-based Buffer Overflow in PushQuantumPixel via Crafted TIFF File
Heap-based buffer overflow in the PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x before 7.0.4-3 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF file.
CVSS 5.5
CVE-2017-5509 WRITEUP HIGH
ImageMagick < 6.9.7-4 - Out-of-bounds Write via PSD File
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
CVSS 7.8
CVE-2017-5510 WRITEUP HIGH
ImageMagick < 6.9.7-4 - Out-of-bounds Write via Crafted PSD File
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact via a crafted PSD file, which triggers an out-of-bounds write.
CVSS 7.8
CVE-2017-5511 WRITEUP CRITICAL
ImageMagick < 6.9.7-3 - Heap-Based Buffer Overflow in PSD Coder
coders/psd.c in ImageMagick allows remote attackers to have unspecified impact by leveraging an improper cast, which triggers a heap-based buffer overflow.
CVSS 9.8
CVE-2017-5537 WRITEUP MEDIUM
Weblate < 2.10.1 - User Enumeration via Password Reset Error Messages
The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests.
CVSS 5.3
CVE-2017-5594 WRITEUP HIGH
Pagekit < 1.0.11 - Unauthenticated Password Reset via Debug Toolbar
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
CVSS 7.5
CVE-2017-5669 WRITEUP HIGH
Linux kernel <4.9.12 - Local Privilege Escalation
The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
CVSS 7.8
CVE-2017-5850 WRITEUP HIGH
OpenBSD httpd - Denial of Service via HTTP Range Header
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.
CVSS 7.5
CVE-2017-5930 WRITEUP LOW
Opensuse Leap < 3.0.2 - Missing Authorization
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
CVSS 2.7
CVE-2017-5940 WRITEUP HIGH
Firejail 0.9.38-0.9.38.9 LTS and 0.9.40-0.9.44.5 - Sandbox Escape via Symlink and --private Option
Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.
CVSS 8.8
CVE-2017-6074 WRITEUP HIGH
Linux Kernel < 3.2.86 - Double Free in DCCP Packet Processing
The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.
CVSS 7.8
CVE-2017-6087 WRITEUP HIGH
EyesOfNetwork eonweb < 5.0-0 - Authenticated OS Command Injection via selected_events[] Parameter
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4) module parameter to module/index.php.
CVSS 8.8
CVE-2017-6098 WRITEUP HIGH
Mail Masta 1.0 - Authenticated SQL Injection via list_id Parameter
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
CVSS 7.2
CVE-2017-6097 WRITEUP HIGH
Mail Masta 1.0 - Authenticated SQL Injection via camp_id Parameter
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
CVSS 7.2
CVE-2017-6096 WRITEUP HIGH
Mail Masta 1.0 - Authenticated SQL Injection via Filter List Parameter
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
CVSS 7.2
CVE-2017-6095 WRITEUP CRITICAL
Mail Masta 1.0 - Unauthenticated SQL Injection via list_id Parameter
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.
CVSS 9.8
CVE-2017-6199 WRITEUP CRITICAL
sandstorm < 0.203 - Unauthenticated Organization Restriction Bypass via Email-Address Field Comma Injection
A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field.
CVSS 9.8
CVE-2017-6200 WRITEUP MEDIUM
Sandstorm < 0.203 - Unauthenticated Arbitrary File Read via Backup Function
Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function. The root cause is that the findFilesToZip function doesn't filter Line Feed (\n) characters in a directory name.
CVSS 6.5
CVE-2017-6307 WRITEUP HIGH
tnef < 1.4.13 - Out-of-bounds Write in MAPI Attribute Reader
An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker.
CVSS 7.8
CVE-2017-6308 WRITEUP HIGH
tnef < 1.4.13 - Integer Overflow and Heap Overflow via Memory Allocation Wrapper
An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation.
CVSS 7.8
CVE-2017-6309 WRITEUP HIGH
tnef < 1.4.13 - Out-of-bounds Read via Type Confusion in parse_file()
An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker.
CVSS 7.8
CVE-2017-6310 WRITEUP HIGH
tnef < 1.4.13 - Out-of-bounds Read via MAPI Attribute Type Confusion
An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker.
CVSS 7.8
CVE-2017-6413 WRITEUP HIGH
mod_auth_openidc < 2.1.6 - Authentication Bypass via OIDC_CLAIM_ and OIDCAuthNHeader Headers
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic.
CVSS 8.6