Writeup Exploits
63,622 exploits tracked across all sources.
Webmin < 1.920 - Authenticated Remote Code Execution via unserialise_variable Eval Call
rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."
CVSS 8.8
Webmin < 1.850 - Cross-Site Scripting via sec Parameter to view_man.cgi
Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840.
CVSS 6.1
Webmin < 1.860 - Stored Cross-Site Scripting and Remote Code Execution via File Manager Download from Remote URL
Webmin before 1.860 has XSS with resultant remote code execution. Under the 'Others/File Manager' menu, there is a 'Download from remote URL' option to download a file from a remote server. After setting up a malicious server, one can wait for a file download request and then send an XSS payload that will lead to Remote Code Execution, as demonstrated by an OS command in the value attribute of a name='cmd' input element.
CVSS 6.1
CVE-2012-2983
WRITEUP
Webmin < 1.590 - Unauthenticated Arbitrary File Read via file/edit_html.cgi
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.
CVE-2012-2982
WRITEUP
Webmin < 1.590 - Authenticated Remote Command Execution via Invalid Pathname Character
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.
Impacket < 0.9.22 - Path Traversal and Arbitrary File Write via SMB Server
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.
CVSS 9.8
SysAid 20.4.74 - Unauthenticated Stored Cross-Site Scripting via KeepAlive.jsp stamp Parameter
SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.
CVSS 6.1
Concrete CMS < 8.5.5 - Stored Cross-Site Scripting via Express Entries Dashboard Name Field
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.
CVSS 4.8
NCR Command Center Agent 16.3 - Unauthenticated Remote Code Execution via runCommand Parameter
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
CVSS 9.8
Discourse 2.7.0-beta1 - Two-Factor Authentication Bypass via Rate-Limit Bypass
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
CVSS 7.5
snapd < 2.54.3 - Unprotected User Data Exposure via Home Directory Permissions
snapd 2.54.2 and earlier created ~/snap directories in user home directories without specifying owner-only permissions. This could allow a local attacker to read information that should have been private. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
CVSS 3.8
ChurchRota 2.6.4 - Authenticated Remote Code Execution via File Upload
ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.
CVSS 8.8
ASUS DSL-N14U-B1 1.1.2.3_805 - Unrestricted Firmware Upload via Settings_DSL-N14U-B1.trx
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services.
CVSS 7.5
Mutt < 2.0.4 - Denial of Service via Semicolon Sequence in RFC822 Address Fields
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups). A small email message from the attacker can cause large memory consumption, and the victim may then be unable to see email messages from other persons.
CVSS 6.5
Mutt 1.11.0-2.0.6 and NeoMutt 20191025-20210504 - Out-of-bounds Read in IMAP Sequence Set Handling
Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set ends with a comma. NOTE: the $imap_qresync setting for QRESYNC is not enabled by default.
CVSS 9.1
Maian Cart 3.8 - Unauthenticated Remote Code Execution via Elfinder Plugin
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
CVSS 9.8
Linux Kernel < 5.12.2 - Race Condition in HCI Controller Removal
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.
CVSS 7.0
Craft CMS < 3.6.13 - Cross-Site Scripting
Craft CMS before 3.6.13 has an XSS vulnerability.
CVSS 6.1
Archive_Tar < 1.4.14 - Directory Traversal via Symlink Extraction
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
CVSS 7.1
nimble-project common - Authentication Bypass via JWT Signature Spoofing
Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT.
CVSS 6.5
Github codeql_action < 20210304 - Sensitive Information Exposure via Command-Line Argument
Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system publicly exposes the output of `ps`, for example by logging the output, then the GitHub access token can be exposed beyond the scope intended. Users of the CodeQL runner on 3rd-party systems, who are passing a GitHub token via the `--github-auth` flag, are affected. This applies to both GitHub.com and GitHub Enterprise users. Users of the CodeQL Action on GitHub Actions are not affected. The `--github-auth` flag is now considered insecure and deprecated. The undocumented `--external-repository-token` flag has been removed. To securely provide a GitHub access token to the CodeQL runner, users should **do one of the following instead**: Use the `--github-auth-stdin` flag and pass the token on the command line via standard input OR set the `GITHUB_TOKEN` environment variable to contain the token, then call the command without passing in the token. The old flag remains present for backwards compatibility with existing workflows. If the user tries to specify an access token using the `--github-auth` flag, there is a deprecation warning printed to the terminal that directs the user to one of the above options. All CodeQL runner releases codeql-bundle-20210304 onwards contain the patches. We recommend updating to a recent version of the CodeQL runner, storing a token in your CI system's secret storage mechanism, and passing the token to the CodeQL runner using `--github-auth-stdin` or the `GITHUB_TOKEN` environment variable. If still using the old flag, ensure that process output, such as from `ps`, is not persisted in CI logs.
CVSS 4.4
Emissary < 6.4.0 - Server-Side Request Forgery via RegisterPeerAction and AddChildDirectoryAction Endpoints
Emissary is a P2P-based, data-driven workflow engine. Emissary version 6.4.0 is vulnerable to Server-Side Request Forgery (SSRF). In particular, the `RegisterPeerAction` endpoint and the `AddChildDirectoryAction` endpoint are vulnerable to SSRF. This vulnerability may lead to credential leaks. Emissary version 7.0 contains a patch. As a workaround, disable network access to Emissary from untrusted sources.
CVSS 7.2
Ampache 4.x.y - Authenticated Code Injection in random.php
Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.
CVSS 6.4
October CMS < 1.1.5 and System < 1.0.472 - Authentication Bypass via Password Reset
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
CVSS 8.2
iTop < 2.6.5 - Unauthenticated Server-Side Request Forgery
iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later
CVSS 8.7
By Source