Writeup Exploits

63,652 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-37597 WRITEUP CRITICAL
WP Cerber < 8.9.3 - Multi-Factor Authentication Bypass via wordpress_logged_in_[hash] Manipulation
WP Cerber before 8.9.3 allows MFA bypass via wordpress_logged_in_[hash] manipulation.
CVSS 9.8
CVE-2021-33616 WRITEUP MEDIUM
RSA Archer 6.1.0.0-6.9.1.4 - Stored Cross-Site Scripting
RSA Archer 6.x through 6.9 SP1 P4 (6.9.1.4) allows stored XSS.
CVSS 5.4
CVE-2021-33615 WRITEUP HIGH
RSA Archer <6.8.00500.1003 - Unrestricted Upload
RSA Archer 6.8.00500.1003 P5 allows Unrestricted Upload of a File with a Dangerous Type.
CVSS 7.5
CVE-2020-15467 WRITEUP HIGH
vns3 < 4.11.1 - Authenticated Remote Code Execution
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVSS 8.8
CVE-2020-12878 WRITEUP HIGH
Digi ConnectPort X2e <3.2.30.6 - Privilege Escalation
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.
CVSS 7.8
CVE-2021-38556 WRITEUP HIGH
RaspAP 2.6.6 - OS Command Injection in configure_client.php
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
CVSS 8.8
CVE-2021-38557 WRITEUP HIGH
raspap-webgui - Unauthenticated Privilege Escalation via Sudoers Misconfiguration
raspap-webgui in RaspAP 2.6.6 allows attackers to execute commands as root because of the insecure sudoers permissions. The www-data account can execute /etc/raspap/hostapd/enablelog.sh as root with no password; however, the www-data account can also overwrite /etc/raspap/hostapd/enablelog.sh with any executable content.
CVSS 8.8
CVE-2021-38593 WRITEUP HIGH
Qt <5.15.6, <=6.1.2 - Buffer Overflow
Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
CVSS 7.5
CVE-2021-38819 WRITEUP HIGH
Simple Image Gallery System 1.0 - SQL Injection
A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.
CVSS 8.8
CVE-2021-3817 WRITEUP CRITICAL
WBCE CMS < 1.5.2 - SQL Injection
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVSS 9.8
CVE-2021-3831 WRITEUP MEDIUM
gnuboard5 < 5.4.20 - Cross-Site Scripting
gnuboard5 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS 6.1
CVE-2021-39160 WRITEUP CRITICAL
nbgitpuller 0.9.0-0.10.1 - OS Command Injection via Malicious Link
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
CVSS 9.6
CVE-2021-39165 WRITEUP HIGH
Cachet <= 2.3.18 - Unauthenticated SQL Injection via SearchableTrait
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
CVSS 8.1
CVE-2021-39167 WRITEUP CRITICAL
OpenZeppelin contracts 3.3.0-3.4.1 and 4.0.0-4.3.0 - Privilege Escalation in TimelockController
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
CVSS 10.0
CVE-2021-39168 WRITEUP CRITICAL
OpenZeppelin contracts 3.3.0-3.4.1 and contracts-upgradeable 4.0.0-4.3.0 - Privilege Escalation in TimelockController
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
CVSS 10.0
CVE-2021-39180 WRITEUP HIGH
OpenOLAT < 15.3.18 - Authenticated Path Traversal and Arbitrary File Write via ZIP Archive Extraction
OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the application server user (e.g. the tomcat user). Depending on the configuration this can be limited to files of the OpenOlat user data directory, however, if not properly set up, the attack could also be used to overwrite application server config files, java code or even operating system files. The attack could be used to corrupt or modify any OpenOlat file such as course structures, config files or temporary test data. Those attack would require in-depth knowledge of the installation and thus more theoretical. If the app server configuration allows the execution of jsp files and the path to the context is known, it is also possible to execute java code. If the app server runs with the same user that is used to deploy the OpenOlat code or has write permissions on the OpenOlat code files and the path to the context is know, code injection is possible. The attack requires an OpenOlat user account to upload a ZIP file and trigger the unzip method. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3 and 16.0.0. There are no known workarounds aside from upgrading.
CVSS 8.1
CVE-2021-39195 WRITEUP HIGH
Misskey < 12.90.0 - Server-Side Request Forgery via Upload from URL
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.
CVSS 7.7
CVE-2021-39207 WRITEUP HIGH
ParlAI < 1.1.0 - Remote Code Execution via YAML Deserialization
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
CVSS 8.4
CVE-2021-39212 WRITEUP MEDIUM
ImageMagick 6.9.12-0-6.9.12-22 - Race Condition in Policy Enforcement
ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain="module" rights="none" pattern="PS" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.
CVSS 4.4
CVE-2021-39327 WRITEUP MEDIUM
Wordpress BulletProof Security Backup Disclosure
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
CVSS 5.3
CVE-2021-39352 WRITEUP HIGH
Wordpress Plugin Catch Themes Demo Import RCE
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
CVSS 7.2
CVE-2021-39352 WRITEUP HIGH
Wordpress Plugin Catch Themes Demo Import RCE
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.
CVSS 7.2
CVE-2021-39433 WRITEUP HIGH
biqsdrive < 1.83 - Local File Inclusion via Download Endpoint File Parameter
A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.
CVSS 7.5
CVE-2021-39509 WRITEUP CRITICAL
D-Link DIR-816 A2 Firmware 1.10CNB05_R1B011D88210 - OS Command Injection via form2userconfig.cgi Username Parameter
An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
CVSS 9.8
CVE-2021-39510 WRITEUP CRITICAL
D-Link DIR-816 A1 FW101CNB04 - OS Command Injection via form2userconfig.cgi Username Parameter
An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
CVSS 9.8