Writeup Exploits

63,622 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-3395 WRITEUP MEDIUM
Pryaniki 6.44.3 - Authenticated Stored Cross-Site Scripting via File Upload
A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.
CVSS 5.4
CVE-2021-34083 WRITEUP HIGH
google-it < 1.6.2 - Remote Code Execution via Open in Browser Option
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.
CVSS 8.1
CVE-2021-34369 WRITEUP MEDIUM
Accela Civic Platform <20.1 - Info Disclosure
portlets/contact/ref/refContactDetail.do in Accela Civic Platform through 20.1 allows remote attackers to obtain sensitive information via a modified contactSeqNumber value. NOTE: the vendor states "the information that is being queried is authorized for an authenticated user of that application, so we consider this not applicable.
CVSS 6.5
CVE-2021-34370 WRITEUP MEDIUM
Accela Civic Platform <= 20.1 - Cross-Site Scripting via ssoAdapter/logoutAction.do successURL Parameter
Accela Civic Platform through 20.1 allows ssoAdapter/logoutAction.do successURL XSS. NOTE: the vendor states "there are configurable security flags and we are unable to reproduce them with the available information.
CVSS 6.1
CVE-2021-35206 WRITEUP MEDIUM
Gitpod < 0.6.0 - Unvalidated Redirect
Gitpod before 0.6.0 allows unvalidated redirects.
CVSS 6.1
CVE-2021-35397 WRITEUP HIGH
drogon 1.0.0-beta14-1.6.0 - Unauthenticated Path Traversal in Static Router
A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. The vulnerability is due to lack of proper input validation for requested path. An attacker could exploit this vulnerability by sending crafted HTTP request with specific path to read. Successful exploitation could allow the attacker to read files that should be restricted.
CVSS 7.5
CVE-2021-35414 WRITEUP CRITICAL
Chamilo LMS 1.11.0-1.11.16 - Unauthenticated SQL Injection via doc Parameter
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVSS 9.8
CVE-2021-35475 WRITEUP MEDIUM
SAS Environment Manager 2.5 - Stored Cross-Site Scripting via Server Name Field
SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
CVSS 5.4
CVE-2021-35958 WRITEUP CRITICAL
TensorFlow < 2.5.0 - Arbitrary File Write via tf.keras.utils.get_file
TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives
CVSS 9.1
CVE-2021-3509 WRITEUP MEDIUM
Red Hat Ceph Storage 4 - Info Disclosure
A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component. In response to CVE-2020-27839, the JWT token was moved from localStorage to an httpOnly cookie. However, token cookies are used in the body of the HTTP response for the documentation, which again makes it available to XSS.The greatest threat to the system is for confidentiality, integrity, and availability.
CVSS 6.1
CVE-2021-3527 WRITEUP MEDIUM
QEMU < 6.0.0 - Denial of Service via USB Redirector Device Stack Allocation
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
CVSS 5.5
CVE-2021-36370 WRITEUP HIGH
Midnight Commander <4.8.26 - Info Disclosure
An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.
CVSS 7.5
CVE-2021-36711 WRITEUP CRITICAL
OctoBot < 0.4.4 - Remote Code Execution via Tentacles Upload
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
CVSS 9.8
CVE-2021-36711 WRITEUP CRITICAL
OctoBot < 0.4.4 - Remote Code Execution via Tentacles Upload
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
CVSS 9.8
CVE-2021-36740 WRITEUP MEDIUM
Varnish-cache Varnish Cache < 6.0.8 - HTTP Request Smuggling
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8.
CVSS 6.5
CVE-2021-36977 WRITEUP MEDIUM
matio 1.5.20-1.5.21 - Heap-Based Buffer Overflow via HDF5 Memory Copy
matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry), related to use of HDF5 1.12.0.
CVSS 6.5
CVE-2021-36980 WRITEUP MEDIUM
Openvswitch < 2.15.0 - Use After Free
Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.
CVSS 5.5
CVE-2021-3620 WRITEUP MEDIUM
Ansible < 2.9.27 - Sensitive Information Disclosure in Error Messages
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVSS 5.5
CVE-2021-3623 WRITEUP MEDIUM
libtpms < 0.6.5 - Out-of-bounds Write via TPM 2 Command Packet Processing
A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.
CVSS 6.1
CVE-2021-3644 WRITEUP LOW
Redhat Descision Manager < 16.0.1.Final - Information Disclosure
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
CVSS 3.3
CVE-2021-3656 WRITEUP HIGH
Linux Kernel 4.13-<4.14.245 - Missing Authorization in KVM SVM Nested Virtualization
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.
CVSS 8.8
CVE-2021-3670 WRITEUP MEDIUM
Samba 4.1.0-4.15.9 - Uncontrolled Resource Consumption via MaxQueryDuration LDAP Bypass
MaxQueryDuration not honoured in Samba AD DC LDAP
CVSS 6.5
CVE-2021-3684 WRITEUP MEDIUM
OpenShift Assisted Installer < 1.0.25.3 - Authenticated Image Pull Secret Exposure in Installation Logs
A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.
CVSS 5.5
CVE-2021-37157 WRITEUP HIGH
OpenGamePanel OGP-Agent-Linux < 2021-08-14 - Cleartext Storage of Sensitive Information in Config.pm
An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. $HOME/OGP/Cfg/Config.pm has the root password in cleartext.
CVSS 8.8
CVE-2021-37367 WRITEUP HIGH
CTparental < 4.45.07 - Remote Code Execution via Directory Traversal in bl_categories_help.php
CTparental before 4.45.07 is affected by a code execution vulnerability in the CTparental admin panel. Because The file "bl_categories_help.php" is vulnerable to directory traversal, an attacker can create a file that contains scripts and run arbitrary commands.
CVSS 7.8