Writeup Exploits
63,449 exploits tracked across all sources.
Pi-hole < 4.3.2 - Authenticated Remote Code Execution via DHCP Static Lease
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
CVSS 7.2
Pi-hole < 5.2.2 - Stored Cross-Site Scripting in DNS Query Log
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.
CVSS 6.1
Pi-hole < 5.0 - Code Injection via Teleporter Backup File Restoration
Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. This occurs in settings.php. To exploit this, an attacker would request a backup of limited files via teleporter.php. These are placed into a .tar.gz archive. The attacker then modifies the host parameter in dnsmasq.d files, and then compresses and uploads these files again.
CVSS 7.8
Pi-hole < 5.0 - Code Injection via Teleporter Backup File Restoration
Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. This occurs in settings.php. To exploit this, an attacker would request a backup of limited files via teleporter.php. These are placed into a .tar.gz archive. The attacker then modifies the host parameter in dnsmasq.d files, and then compresses and uploads these files again.
CVSS 7.8
Pi-hole 4.3 - OS Command Injection
Pi-Hole 4.3 allows Command Injection.
CVSS 8.8
CardGate Payments <3.1.15 - Auth Bypass
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.
CVSS 8.1
MISP < 2.4.121 - Time-of-check Time-of-use Race Condition in Brute-Force Protection
An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
CVSS 5.9
MISP < 2.4.121 - Brute-Force Attack via Username Canonicalization Bypass
An issue was discovered in MISP before 2.4.121. It did not canonicalize usernames when trying to block a brute-force series of invalid requests.
CVSS 5.9
MISP < 2.4.121 - Brute-Force Protection Bypass via HTTP PUT Method
An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests.
CVSS 8.1
Artica Pandora FMS 7.0 - Authenticated OS Command Injection via Netflow Live View Parameters
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
CVSS 7.2
Guangzhou 1GE ONU V2801RW and V2804RGW 1.9.1-181203-2.9.0-181024 - OS Command Injection via Ping Dest IP Address Field
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
CVSS 7.2
Blackboard Learn < 9.1 - Stored Cross-Site Scripting via Tile Widget in People Tool Profile Editor
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
CVSS 5.4
Joplin < 1.0.184 - Stored Cross-Site Scripting and Arbitrary File Read
Joplin through 1.0.184 allows Arbitrary File Read via XSS.
CVSS 5.4
ProFTPD 1.3.7 - Use-After-Free in Memory Pool via Data Transfer Channel Interruption
In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.
CVSS 8.8
Pure-FTPd 1.0.49 - Out-of-Bounds Read in pure_strcmp
An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c.
CVSS 7.5
TP-Link TL-WR849N 0.9.1 4.16 - Remote Code Execution via Traceroute Shell Metacharacter Injection
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.
CVSS 9.8
D-Link DIR-610 Firmware - Information Disclosure via getcfg.php
D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
CVSS 7.5
Epson iProjection < 2.30 - Denial of Service via EMP_MPAU.sys IOCtl Input Validation
In Epson iProjection v2.30, the driver file EMP_MPAU.sys allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C402406 and IOCtl 0x9C40240A. (0x9C402402 has only a NULL pointer dereference.) This affects \Device\EMPMPAUIO and \DosDevices\EMPMPAU.
CVSS 5.5
Epson iProjection < 2.30 - Denial of Service via EMP_NSAU.sys Driver IOCTL
In Epson iProjection v2.30, the driver file (EMP_NSAU.sys) allows local users to cause a denial of service (BSOD) via crafted input to the virtual audio device driver with IOCTL 0x9C402402, 0x9C402406, or 0x9C40240A. \Device\EMPNSAUIO and \DosDevices\EMPNSAU are similarly affected.
CVSS 5.5
Max Secure Max Spyware Detector 1.0.0.044 - Denial of Service via IOCtl 0x2200019
In Max Secure Max Spyware Detector 1.0.0.044, the driver file (MaxProc64.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x2200019. (This also extends to the various other products from Max Secure that include MaxProc64.sys.)
CVSS 7.8
IObit Advanced SystemCare 13.2 - Use After Free
The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 13.2 allows an unprivileged user to send an IOCTL to the device driver. If the user provides a NULL entry for the dwIoControlCode parameter, a kernel panic (aka BSOD) follows. The IOCTL codes can be found in the dispatch function: 0x8001E000, 0x8001E004, 0x8001E008, 0x8001E00C, 0x8001E010, 0x8001E014, 0x8001E020, 0x8001E024, 0x8001E040, 0x8001E044, and 0x8001E048. \DosDevices\AscRegistryFilter and \Device\AscRegistryFilter are affected.
CVSS 6.5
Oempro 4.7-4.11 - Authenticated Cross-Site Scripting via CampaignName Parameter
Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The parameter CampaignName in Campaign.Create is vulnerable.
CVSS 5.4
Octech Oempro 4.7-4.11 - Authenticated Stored Cross-Site Scripting via Media.CreateFolder FolderName Parameter
Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user. The FolderName parameter of the Media.CreateFolder command is vulnerable.
CVSS 5.4
Craft CMS SEOmatic < 3.3.0 - Server-Side Template Injection via Metacontainers Controller
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
CVSS 9.8
eu.hinsch:spring-boot-actuator-logview <0.2.13 - Path Traversal
spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.
CVSS 7.7
By Source