Writeup Exploits
63,466 exploits tracked across all sources.
ONLYOFFICE DocumentServer 4.2.0.236-5.6.4.13 - Remote Code Execution via DOCT to DOCX Conversion
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an attacker can achieve remote code execution on DocumentServer.
CVSS 9.8
ONLYOFFICE DocumentServer 4.2.0.71-5.6.0.21 - Remote Code Execution via File Extension Handling Issue
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain remote code execution on DocumentServer.
CVSS 9.8
OpenNMS Horizon <27.1.1 & Meridian <2019.1.19 - Authenticated Stored XSS via NoticeWizard
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files.
CVSS 4.8
OpenNMS Horizon < 27.1.1 and Meridian < 2019.1.19 - Cross-Site Request Forgery
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.
CVSS 4.3
OpenNMS Horizon < 27.1.1 and Meridian < 2019.1.19 - Cross-Site Request Forgery via User Update Endpoint
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.
CVSS 8.8
OpenNMS Horizon <27.1.0-1 & Meridian <2020.1.6-1 - Stored XSS via userID Parameter
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
CVSS 5.4
OpenNMS Horizon <27.1.1 & Meridian <2019.1.19 - Authenticated Stored XSS via groupName/groupComment
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
CVSS 4.8
OpenNMS Horizon 18.0.0-27.1.0 and Meridian 2015.1.0-2019.1.18 - Stored Cross-Site Scripting via Node Label Parameter
In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.
CVSS 5.4
OpenNMS Horizon 17.0.0-27.1.0 and Meridian 2015.1.0-2019.1.18 - Stored Cross-Site Scripting via Foreign Source Parameter
In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database.
CVSS 5.4
ArangoDB 3.7.0-3.9.0-alpha.1 - Authenticated Server-Side Request Forgery via Foxx Service Download
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
CVSS 2.7
Talkyard 0.2021.20-0.2021.33 - Insufficient Session Expiration
In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attacker is able to obtain that token (via other, hypothetical attacks)
CVSS 9.8
Jenzabar 9.2.0-9.2.2 - Cross-Site Scripting via Search Query Parameter
Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.
CVSS 6.1
PEEL SHOPPING 9.3.0 and 9.4.0 - Stored Cross-Site Scripting via Polyglot Payload
A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
CVSS 5.4
BlackCat CMS 1.3.6 - Stored Cross-Site Scripting via Display Name Field
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
CVSS 4.8
BlackCat CMS 1.3.6 - Stored Cross-Site Scripting via Display Name Field
The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/ajax_save.php.
CVSS 4.8
BlackCat CMS 1.3.6 - Authenticated Stored Cross-Site Scripting via Admin-Tools Output Filters and Droplets
A stored cross site scripting (XSS) vulnerability in the 'Admin-Tools' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the 'Output Filters' and 'Droplets' modules.
CVSS 4.8
BlackCat CMS 1.3.6 - Authenticated Stored Cross-Site Scripting via Add Page Title Parameter
A stored cross site scripting (XSS) vulnerability in the 'Add Page' feature of BlackCat CMS 1.3.6 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
CVSS 5.4
BlackCat CMS < 1.4 - Cross-Site Request Forgery Bypass
An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.
CVSS 8.8
BlackCatCMS 1.3 - Authenticated Stored Cross-Site Scripting in Search Panel
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
CVSS 4.8
BlackCatCMS 1.3 - Authenticated Stored Cross-Site Scripting in Search Panel
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
CVSS 4.8
Blackcat CMS 1.2 - Authenticated Cross-Site Scripting via map_language Parameter
Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.
CVSS 5.4
BlackCat CMS 1.1.2 - Stored Cross-Site Scripting via Group Name Parameter
Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the name in a new group to backend/groups/index.php.
CVSS 4.8
Pygments 1.1-2.7.3 - Denial of Service via Inefficient Regular Expression Complexity
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
CVSS 7.5
ua-parser-js 0.7.14-0.7.23 - Denial of Service via Malicious User-Agent Header
ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time.
CVSS 7.5
Faraday Edge < 3.7 - Cross-Site Scripting via Network Name Parameter
Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.
CVSS 5.4
By Source