Exploit Database

145,709 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-6478 WRITEUP MEDIUM
mangoswebv4 < 4.0.8 - Reflected Cross-Site Scripting via Install Step Parameter
paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected XSS in install/index.php (step parameter).
CVSS 6.1
CVE-2017-6514 WRITEUP MEDIUM
WordPress 4.7.2 - Path Disclosure via OEmbed Endpoint
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
CVSS 5.3
CVE-2017-6736 WRITEUP HIGH
Cisco IOS and IOS XE - Authenticated Remote Code Execution via SNMP Buffer Overflow
The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP - Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload. Customers are advised to apply the workaround as contained in the Workarounds section below. Fixed software information is available via the Cisco IOS Software Checker. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. There are workarounds that address these vulnerabilities.
CVSS 8.8
CVE-2017-6797 WRITEUP MEDIUM
MantisBT < 1.3.7 and 2.x < 2.2.1 - Cross-Site Scripting via 'action_type' Parameter
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.
CVSS 6.1
CVE-2017-6820 WRITEUP MEDIUM
Roundcube Webmail < 1.1.8 and 1.2.x < 1.2.4 - Cross-Site Scripting via SVG CSS Token Sequence
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
CVSS 6.1
CVE-2017-6903 WRITEUP HIGH
ioquake3 <2017-03-14 - Code Injection
In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
CVSS 7.8
CVE-2017-6903 WRITEUP HIGH
ioquake3 <2017-03-14 - Code Injection
In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
CVSS 7.8
CVE-2017-7005 WRITEUP HIGH
Apple <10.3.2, <10.1.1, <10.2.1 - RCE
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "JavaScriptCore" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
CVSS 8.8
CVE-2017-7184 WRITEUP HIGH
Linux kernel <4.10.6 - Privilege Escalation
The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.
CVSS 7.8
CVE-2017-7185 WRITEUP HIGH
Cesanta Mongoose Library <6.7 & OS <1.2 Use-After-Free via Multipart POST
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.
CVSS 7.5
CVE-2017-7185 WRITEUP HIGH
Cesanta Mongoose Library <6.7 & OS <1.2 Use-After-Free via Multipart POST
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.
CVSS 7.5
CVE-2017-7215 WRITEUP MEDIUM
MISP < 2.4.68 - Cross-Site Scripting in Index Filter Tool and Organisation Landing Page
Cross site scripting in some view elements in the index filter tool in app/webroot/js/misp2.4.68.js and the organisation landing page in app/View/Organisations/ajax/landingpage.ctp of MISP before 2.4.69 allows remote attackers to inject arbitrary web script or HTML.
CVSS 6.1
CVE-2017-7228 WRITEUP HIGH
Xen 4.4.x-4.8.x - Improper Validation of Array Index in XENMEM_exchange
An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays.
CVSS 8.2
CVE-2017-7243 WRITEUP HIGH
Eclipse tinydtls 0.8.2 - Denial of Service via Change Cipher Spec Packet
Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to cause a denial of service (DTLS peer crash) by sending a "Change cipher spec" packet without pre-handshake.
CVSS 7.5
CVE-2017-7269 WRITEUP CRITICAL
Internet Information Services 6.0 - Remote Code Execution via WebDAV PROPFIND Request
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
CVSS 9.8
CVE-2017-7269 WRITEUP CRITICAL
Internet Information Services 6.0 - Remote Code Execution via WebDAV PROPFIND Request
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
CVSS 9.8
CVE-2017-7277 WRITEUP HIGH
Linux kernel <4.10.6 - Info Disclosure/DoS
The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.
CVSS 7.1
CVE-2017-7374 WRITEUP HIGH
Linux kernel < 4.10.7 - Use After Free
Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.
CVSS 7.8
CVE-2017-7412 WRITEUP HIGH
NixOS 17.03 <17.03.887 - Privilege Escalation
NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which allows local users to gain privileges by executing docker commands.
CVSS 7.8
CVE-2017-7418 WRITEUP MEDIUM
ProFTPD <1.3.5e, <1.3.6rc5 - Privilege Escalation
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.
CVSS 5.5
CVE-2017-7458 WRITEUP HIGH
ntopng < 2.4 - Denial of Service via Empty Hostname Field in NetworkInterface::getHost
The NetworkInterface::getHost function in NetworkInterface.cpp in ntopng before 3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty field that should have contained a hostname or IP address.
CVSS 7.5
CVE-2017-7472 WRITEUP MEDIUM
Linux kernel < 4.10.13 - Denial of Service via KEY_REQKEY_DEFL_THREAD_KEYRING Keyctl Calls
The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.
CVSS 5.5
CVE-2017-7500 WRITEUP HIGH
rpm 4.13.0.0-4.13.0.1 - Improper Link Resolution Before File Access
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
CVSS 7.3
CVE-2017-7533 WRITEUP HIGH
Linux Kernel <4.12.4 - Privilege Escalation
Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions.
CVSS 7.0
CVE-2017-7586 WRITEUP MEDIUM
Libsndfile <1.0.28 - Buffer Overflow
In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.
CVSS 5.5