Writeup Exploits

63,466 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-25830 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.2.0.236-5.6.4.13 - Remote Code Execution via DOCT to DOCX Conversion
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer.
CVSS 9.8
CVE-2021-25833 WRITEUP CRITICAL
ONLYOFFICE DocumentServer 4.2.0.71-5.6.0.21 - Remote Code Execution via File Extension Handling Issue
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain remote code execution on DocumentServer.
CVSS 9.8
CVE-2021-25929 WRITEUP MEDIUM
OpenNMS Horizon <27.1.1 & Meridian <2019.1.19 - Authenticated Stored XSS via NoticeWizard
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files.
CVSS 4.8
CVE-2021-25930 WRITEUP MEDIUM
OpenNMS Horizon < 27.1.1 and Meridian < 2019.1.19 - Cross-Site Request Forgery
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.
CVSS 4.3
CVE-2021-25931 WRITEUP HIGH
OpenNMS Horizon < 27.1.1 and Meridian < 2019.1.19 - Cross-Site Request Forgery via User Update Endpoint
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.
CVSS 8.8
CVE-2021-25932 WRITEUP MEDIUM
OpenNMS Horizon <27.1.0-1 & Meridian <2020.1.6-1 - Stored XSS via userID Parameter
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
CVSS 5.4
CVE-2021-25933 WRITEUP MEDIUM
OpenNMS Horizon <27.1.1 & Meridian <2019.1.19 - Authenticated Stored XSS via groupName/groupComment
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
CVSS 4.8
CVE-2021-25934 WRITEUP MEDIUM
OpenNMS Horizon 18.0.0-27.1.0 and Meridian 2015.1.0-2019.1.18 - Stored Cross-Site Scripting via Node Label Parameter
In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
CVSS 5.4
CVE-2021-25935 WRITEUP MEDIUM
OpenNMS Horizon 17.0.0-27.1.0 and Meridian 2015.1.0-2019.1.18 - Stored Cross-Site Scripting via Foreign Source Parameter
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database.
CVSS 5.4
CVE-2021-25939 WRITEUP LOW
ArangoDB 3.7.0-3.9.0-alpha.1 - Authenticated Server-Side Request Forgery via Foxx Service Download
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
CVSS 2.7
CVE-2021-25981 WRITEUP CRITICAL
Talkyard 0.2021.20-0.2021.33 - Insufficient Session Expiration
In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)
CVSS 9.8
CVE-2021-26723 WRITEUP MEDIUM
Jenzabar 9.2.0-9.2.2 - Cross-Site Scripting via Search Query Parameter
Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.
CVSS 6.1
CVE-2021-27190 WRITEUP MEDIUM
PEEL SHOPPING 9.3.0 and 9.4.0 - Stored Cross-Site Scripting via Polyglot Payload
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
CVSS 5.4
CVE-2021-27237 WRITEUP MEDIUM
BlackCat CMS 1.3.6 - Stored Cross-Site Scripting via Display Name Field
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
CVSS 4.8
CVE-2021-27237 WRITEUP MEDIUM
BlackCat CMS 1.3.6 - Stored Cross-Site Scripting via Display Name Field
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
CVSS 4.8
CVE-2020-25878 WRITEUP MEDIUM
BlackCat CMS 1.3.6 - Authenticated Stored Cross-Site Scripting via Admin-Tools Output Filters and Droplets
A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules.
CVSS 4.8
CVE-2020-25877 WRITEUP MEDIUM
BlackCat CMS 1.3.6 - Authenticated Stored Cross-Site Scripting via Add Page Title Parameter
A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
CVSS 5.4
CVE-2020-25453 WRITEUP HIGH
BlackCat CMS < 1.4 - Cross-Site Request Forgery Bypass
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
CVSS 8.8
CVE-2018-10821 WRITEUP MEDIUM
BlackCatCMS 1.3 - Authenticated Stored Cross-Site Scripting in Search Panel
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
CVSS 4.8
CVE-2018-10821 WRITEUP MEDIUM
BlackCatCMS 1.3 - Authenticated Stored Cross-Site Scripting in Search Panel
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
CVSS 4.8
CVE-2017-9609 WRITEUP MEDIUM
Blackcat CMS 1.2 - Authenticated Cross-Site Scripting via map_language Parameter
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
CVSS 5.4
CVE-2015-5521 WRITEUP MEDIUM
BlackCat CMS 1.1.2 - Stored Cross-Site Scripting via Group Name Parameter
Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php.
CVSS 4.8
CVE-2021-27291 WRITEUP HIGH
Pygments 1.1-2.7.3 - Denial of Service via Inefficient Regular Expression Complexity
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
CVSS 7.5
CVE-2021-27292 WRITEUP HIGH
ua-parser-js 0.7.14-0.7.23 - Denial of Service via Malicious User-Agent Header
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
CVSS 7.5
CVE-2021-27338 WRITEUP MEDIUM
Faraday Edge < 3.7 - Cross-Site Scripting via Network Name Parameter
Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.
CVSS 5.4