Writeup Exploits

63,622 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-32852 WRITEUP MEDIUM
Countly Server < 21.11 - Stored Cross-Site Scripting via Password Reset Page
Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.
CVSS 5.4
CVE-2021-32853 WRITEUP MEDIUM
erxes < 0.22.3 - Cross-Site Scripting via Widget Renderer
Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known patches.
CVSS 6.1
CVE-2021-3210 WRITEUP CRITICAL
BloodHound <= 4.0.1 - Remote Code Execution via Malicious Data File Import
components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter.
CVSS 9.6
CVE-2021-3239 WRITEUP CRITICAL
E-Learning System 1.0 - SQL Injection
E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.
CVSS 9.8
CVE-2021-3291 WRITEUP HIGH
Zen Cart 1.5.7b - Command Injection
Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
CVSS 7.2
CVE-2021-33040 WRITEUP MEDIUM
epub.js < 0.3.89 - Cross-Site Scripting in iframe.js
managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.
CVSS 6.1
CVE-2021-33318 WRITEUP CRITICAL
Joel Christner .NET C# packages - Input Validation Vulnerability
An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.
CVSS 9.8
CVE-2021-33318 WRITEUP CRITICAL
Joel Christner .NET C# packages - Input Validation Vulnerability
An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.
CVSS 9.8
CVE-2021-33356 WRITEUP HIGH
RaspAP <2.6.5 - Privilege Escalation
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
CVSS 8.8
CVE-2021-33356 WRITEUP HIGH
RaspAP <2.6.5 - Privilege Escalation
Multiple privilege escalation vulnerabilities in RaspAP 1.5 to 2.6.5 could allow an authenticated remote attacker to inject arbitrary commands to /installers/common.sh component that can result in remote command execution with root privileges.
CVSS 8.8
CVE-2021-33357 WRITEUP CRITICAL
RaspAP 2.6-2.6.5 - Unauthenticated OS Command Injection via iface GET Parameter
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
CVSS 9.8
CVE-2021-33358 WRITEUP HIGH
RaspAP 2.3-2.6.5 - Authenticated OS Command Injection via Interface/SSID/WPA Passphrase Parameters
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
CVSS 8.8
CVE-2021-33358 WRITEUP HIGH
RaspAP 2.3-2.6.5 - Authenticated OS Command Injection via Interface/SSID/WPA Passphrase Parameters
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
CVSS 8.8
CVE-2021-33393 WRITEUP HIGH
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
CVSS 8.8
CVE-2021-33393 WRITEUP HIGH
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
CVSS 8.8
CVE-2021-33393 WRITEUP HIGH
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
CVSS 8.8
CVE-2021-33564 WRITEUP CRITICAL
Dragonfly <1.4.0 - Command Injection
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
CVSS 9.8
CVE-2021-33570 WRITEUP MEDIUM
Postbird 0.8.4 - Stored Cross-Site Scripting via IMG onerror Attribute
Postbird 0.8.4 allows stored XSS via the onerror attribute of an IMG element in any PostgreSQL database table. This can result in reading local files via vectors involving XMLHttpRequest and open of a file:/// URL, or discovering PostgreSQL passwords via vectors involving Window.localStorage and savedConnections.
CVSS 5.4
CVE-2021-33571 WRITEUP HIGH
Django <2.2.24, <3.1.12, <3.2.4 - Info Disclosure
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
CVSS 7.5
CVE-2021-33624 WRITEUP MEDIUM
Linux kernel <5.12.13 - Memory Corruption
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
CVSS 4.7
CVE-2021-33904 WRITEUP MEDIUM
Accela Civic Platform < 21.1 - Cross-Site Scripting via servProvCode Parameter
In Accela Civic Platform through 21.1, the security/hostSignon.do parameter servProvCode is vulnerable to XSS. NOTE: The vendor states "there are configurable security flags and we are unable to reproduce them with the available information.
CVSS 6.1
CVE-2021-33909 WRITEUP HIGH
Linux Kernel 3.16-5.13.x < 5.13.4 - Integer Overflow and Out-of-bounds Write in seq_file
fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.
CVSS 7.8
CVE-2021-33910 WRITEUP MEDIUM
systemd < 246.15 - Denial of Service via Excessive Pathname Allocation
basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.
CVSS 5.5
CVE-2021-33990 WRITEUP CRITICAL
Liferay Portal 6.2.5 - OS Command Injection via File Upload Request
Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists. NOTE: The vendor disputes this issue because the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file.
CVSS 9.8
CVE-2021-3355 WRITEUP MEDIUM
LightCMS 1.3.4 - Stored Cross-Site Scripting in Title Field to /admin/SensitiveWords
A stored-self XSS exists in LightCMS v1.3.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.
CVSS 5.4