Writeup Exploits
63,530 exploits tracked across all sources.
Webmin 2.001 - Cross-Site Scripting in xterm/index.cgi
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. The patch is identified as d3d33af3c0c3fd3a889c84e287a038b7a457d811. It is recommended to upgrade the affected component. VDB-212862 is the identifier assigned to this vulnerability.
CVSS 3.5
Webmin < 1.997 - Remote Code Execution via Unescaped UI Command
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
CVSS 9.8
Webmin < 1.991 - Remote Code Execution via Authentic Theme File Parameter
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
CVSS 8.8
Webmin < 1.991 - Remote Code Execution via Authentic Theme File Parameter
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
CVSS 8.8
Webmin 1.973 - Cross-Site Request Forgery via User Addition Feature
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.
CVSS 8.8
Webmin 1.973 - Reflected Cross-Site Scripting to Remote Command Execution via Running Process Feature
Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.
CVSS 9.6
Webmin 1.973 - Cross-Site Request Forgery to Remote Command Execution via Running Process Feature
Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.
CVSS 8.8
Webmin < 1.920 - Authenticated Remote Code Execution via unserialise_variable Eval Call
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
CVSS 8.8
Webmin < 1.920 - Authenticated Remote Code Execution via unserialise_variable Eval Call
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
CVSS 8.8
Webmin < 1.850 - Cross-Site Scripting via sec Parameter to view_man.cgi
Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840.
CVSS 6.1
Webmin < 1.860 - Stored Cross-Site Scripting and Remote Code Execution via File Manager Download from Remote URL
Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name='cmd' input element.
CVSS 6.1
CVE-2012-2983
WRITEUP
Webmin < 1.590 - Unauthenticated Arbitrary File Read via file/edit_html.cgi
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.
CVE-2012-2982
WRITEUP
Webmin < 1.590 - Authenticated Remote Command Execution via Invalid Pathname Character
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
Impacket < 0.9.22 - Path Traversal and Arbitrary File Write via SMB Server
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS 9.8
SysAid 20.4.74 - Unauthenticated Stored Cross-Site Scripting via KeepAlive.jsp stamp Parameter
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
CVSS 6.1
Concrete CMS < 8.5.5 - Stored Cross-Site Scripting via Express Entries Dashboard Name Field
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.
CVSS 4.8
NCR Command Center Agent 16.3 - Unauthenticated Remote Code Execution via runCommand Parameter
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
CVSS 9.8
Discourse 2.7.0-beta1 - Two-Factor Authentication Bypass via Rate-Limit Bypass
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
CVSS 7.5
snapd < 2.54.3 - Unprotected User Data Exposure via Home Directory Permissions
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
CVSS 3.8
ChurchRota 2.6.4 - Authenticated Remote Code Execution via File Upload
ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
CVSS 8.8
ASUS DSL-N14U-B1 1.1.2.3_805 - Unrestricted Firmware Upload via Settings_DSL-N14U-B1.trx
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services.
CVSS 7.5
Mutt < 2.0.4 - Denial of Service via Semicolon Sequence in RFC822 Address Fields
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.
CVSS 6.5
Mutt 1.11.0-2.0.6 and NeoMutt 20191025-20210504 - Out-of-bounds Read in IMAP Sequence Set Handling
Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default.
CVSS 9.1
Maian Cart 3.8 - Unauthenticated Remote Code Execution via Elfinder Plugin
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
CVSS 9.8
Linux Kernel < 5.12.2 - Race Condition in HCI Controller Removal
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
CVSS 7.0
By Source