Writeup Exploits

63,530 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-29591 WRITEUP HIGH
TensorFlow < 2.1.4 - Denial of Service via Infinite Loop in TFlite Graph Evaluation
TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For example, the `While` implementation(https://github.com/tensorflow/tensorflow/blob/106d8f4fb89335a2c52d7c895b7a7485465ca8d9/tensorflow/lite/kernels/while.cc) could be tricked into a scneario where both the body and the loop subgraphs are the same. Evaluating one of the subgraphs means calling the `Eval` function for the other and this quickly exhaust all stack space. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range. Please consult our security guide(https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.
CVSS 7.3
CVE-2021-29607 WRITEUP MEDIUM
TensorFlow < 2.1.4 - Memory Corruption via SparseAdd Input Validation
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/sparse_sparse_binary_op_shared.cc) has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of `*_indices` matches the size of corresponding `*_shape`. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 5.3
CVE-2021-29608 WRITEUP MEDIUM
TensorFlow < 2.1.4 - Heap Buffer Overflow via RaggedTensorToTensor Input Validation
TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments are empty. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/ragged_tensor_to_tensor_op.cc#L356-L360) only checks that one of the tensors is not empty, but does not check for the other ones. There are multiple `DCHECK` validations to prevent heap OOB, but these are no-op in release builds, hence they don't prevent anything. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 5.3
CVE-2021-29609 WRITEUP MEDIUM
TensorFlow < 2.1.4 - Memory Corruption via SparseAdd Input Validation Bypass
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as well as write outside of bounds of heap allocated data. The implementation(https://github.com/tensorflow/tensorflow/blob/656e7673b14acd7835dc778867f84916c6d1cac2/tensorflow/core/kernels/sparse_add_op.cc) has a large set of validation for the two sparse tensor inputs (6 tensors in total), but does not validate that the tensors are not empty or that the second dimension of `*_indices` matches the size of corresponding `*_shape`. This allows attackers to send tensor triples that represent invalid sparse tensors to abuse code assumptions that are not protected by validation. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 5.3
CVE-2021-29612 WRITEUP LOW
TensorFlow < 2.1.4 - Heap Buffer Overflow in BandedTriangularSolve
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in Eigen implementation of `tf.raw_ops.BandedTriangularSolve`. The implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L269-L278) calls `ValidateInputTensors` for input validation but fails to validate that the two tensors are not empty. Furthermore, since `OP_REQUIRES` macro only stops execution of current function after setting `ctx->status()` to a non-OK value, callers of helper functions that use `OP_REQUIRES` must check value of `ctx->status()` before continuing. This doesn't happen in this op's implementation(https://github.com/tensorflow/tensorflow/blob/eccb7ec454e6617738554a255d77f08e60ee0808/tensorflow/core/kernels/linalg/banded_triangular_solve_op.cc#L219), hence the validation that is present is also not effective. The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 3.6
CVE-2021-29613 WRITEUP MEDIUM
TensorFlow < 2.1.4 - Out-of-bounds Read in CTCLoss
TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in TensorFlow 2.5.0. We will also cherrypick these commits on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
CVSS 6.3
CVE-2021-29662 WRITEUP HIGH
Data::Validate::IP <0.29 - Info Disclosure
The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVSS 7.5
CVE-2021-30109 WRITEUP MEDIUM
Froala Editor 3.2.6 - Stored Cross-Site Scripting via Hyperlink Creation Module
Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting (XSS) vulnerability within the hyperlink creation module.
CVSS 6.1
CVE-2021-30147 WRITEUP HIGH
DMA Softlab Radius Manager 4.4.0 - CSRF
DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php.
CVSS 8.8
CVE-2021-30150 WRITEUP MEDIUM
Composr 10.0.36 - Cross-Site Scripting in XML Script
Composr 10.0.36 allows XSS in an XML script.
CVSS 6.1
CVE-2021-30149 WRITEUP CRITICAL
Composr 10.0.36 - Unauthenticated Arbitrary File Upload
Composr 10.0.36 allows upload and execution of PHP files.
CVSS 9.8
CVE-2021-30502 WRITEUP CRITICAL
Simple Glasgow Haskell Compiler < 0.2.3 - Remote Code Execution via REPL Command Configuration
The unofficial vscode-ghc-simple (aka Simple Glasgow Haskell Compiler) extension before 0.2.3 for Visual Studio Code allows remote code execution via a crafted workspace configuration with replCommand.
CVSS 9.8
CVE-2021-3007 WRITEUP CRITICAL
Laminas Project laminas-http <2.14.2 - Code Injection
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
CVSS 9.8
CVE-2021-3007 WRITEUP CRITICAL
Laminas Project laminas-http <2.14.2 - Code Injection
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
CVSS 9.8
CVE-2021-3013 WRITEUP CRITICAL
ripgrep < 13.0.0 - Arbitrary Program Execution via -z/--search-zip or --pre Flag
ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag.
CVSS 9.8
CVE-2021-3018 WRITEUP CRITICAL
ipeak Infosystems ibexwebCMS <3.5 - SQL Injection
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
CVSS 9.8
CVE-2021-3019 WRITEUP HIGH
lanproxy 0.1 - Path Traversal and Credential Exposure via config.properties
ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.
CVSS 7.5
CVE-2021-31245 WRITEUP MEDIUM
openmptcprouter < 0.57.3 - Timing Attack via Password Length Comparison
omr-admin.py in openmptcprouter-vps-admin 0.57.3 and earlier compares the user provided password with the original password in a length dependent manner, which allows remote attackers to guess the password via a timing attack.
CVSS 5.9
CVE-2021-31294 WRITEUP MEDIUM
Redis < 6.2.0 - Reachable Assertion via Replica SET Command
Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.
CVSS 5.9
CVE-2021-31542 WRITEUP HIGH
Django 2.2-2.2.20, 3.1-3.1.8, 3.2-3.2.0 - Path Traversal via Uploaded File Name
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
CVSS 7.5
CVE-2021-31585 WRITEUP MEDIUM
Accellion Kiteworks <7.3.1 - Privilege Escalation
Accellion Kiteworks before 7.3.1 allows a user with Admin privileges to escalate their privileges by generating SSH passwords that allow local access.
CVSS 6.7
CVE-2021-31586 WRITEUP HIGH
Kiteworks < 7.4.0 - Authenticated SQL Injection via LDAPGroup Search
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search.
CVSS 8.8
CVE-2021-31590 WRITEUP HIGH
pwndoc < 0.4.0 - Incorrect Access Control via JSON Webtoken Handling
PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a user's account is deleted, the user can still access the administration panel (and add or delete users) and has complete access to the system.
CVSS 8.8
CVE-2021-31678 WRITEUP MEDIUM
PESCMS-V2.3.3 - Cross-Site Request Forgery
An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company.
CVSS 6.5
CVE-2021-31800 WRITEUP CRITICAL
Impacket < 0.9.22 - Path Traversal and Arbitrary File Write via SMB Server
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS 9.8