Writeup Exploits

63,652 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-3929 WRITEUP HIGH
QEMU < 7.0.0 - Use-After-Free in NVME Controller Emulation
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVSS 8.2
CVE-2021-40154 WRITEUP MEDIUM
NXP LPC55S69 - Out-of-bounds Read via USB ISP GET Descriptor Configuration Request
NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.
CVSS 6.1
CVE-2021-40219 WRITEUP HIGH
Bolt CMS <= 4.2 - Authenticated Remote Code Execution via Theme Template Injection
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.
CVSS 8.8
CVE-2021-40219 WRITEUP HIGH
Bolt CMS <= 4.2 - Authenticated Remote Code Execution via Theme Template Injection
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.
CVSS 8.8
CVE-2021-27367 WRITEUP HIGH
Bolt < 4.1.13 - Path Traversal in FileEdit and Filemanager Controllers
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
CVSS 7.5
CVE-2021-27367 WRITEUP HIGH
Bolt < 4.1.13 - Path Traversal in FileEdit and Filemanager Controllers
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
CVSS 7.5
CVE-2021-40222 WRITEUP HIGH
Rittal CMC PU III 3.11.00_2-3.17.10 - Remote Code Execution via PU-Hostname Field
Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.
CVSS 7.2
CVE-2021-40223 WRITEUP MEDIUM
Rittal CMC PU III Web <V3.11.00_2 - XSS
Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.
CVSS 5.4
CVE-2021-40309 WRITEUP HIGH
OpenSIS 8.0 - Authenticated SQL Injection via cp_id_miss_attn Parameter
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
CVSS 8.8
CVE-2021-40345 WRITEUP HIGH
Nagios XI <5.8.5 - Command Injection
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
CVSS 7.2
CVE-2021-40346 WRITEUP HIGH
HAProxy <2.6 - HTTP Request Smuggling
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
CVSS 7.5
CVE-2021-40378 WRITEUP HIGH
Compro IP70 IP570 IP60 TN540 Firmware - Unauthenticated Denial of Service via killps.cgi
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. /cgi-bin/support/killps.cgi deletes all data from the device.
CVSS 8.1
CVE-2021-40379 WRITEUP HIGH
Compro IP70, IP570, IP60, TN540 Firmware - Unauthenticated RTSP Stream Access
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. rstp://.../medias2 does not require authorization.
CVSS 7.5
CVE-2021-40380 WRITEUP HIGH
Compro IP70 IP570 IP60 TN540 Firmware - Credential Disclosure via cameralist.cgi and setcamera.cgi
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. cameralist.cgi and setcamera.cgi disclose credentials.
CVSS 7.5
CVE-2021-40381 WRITEUP HIGH
Compro IP70/IP570/IP60/TN540 <2.08 - Info Disclosure
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. index_MJpeg.cgi allows video access.
CVSS 7.5
CVE-2021-40382 WRITEUP HIGH
Compro IP70/IP570/TN540 <2.08 - Info Disclosure
An issue was discovered on Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, and TN540 devices. mjpegStreamer.cgi allows video screenshot access.
CVSS 7.5
CVE-2021-40617 WRITEUP CRITICAL
openSIS 8.0 - SQL Injection via ForgotPassUserName.php
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
CVSS 9.8
CVE-2021-40651 WRITEUP MEDIUM
OS4Ed OpenSIS Community 8.0 - Info Disclosure
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.
CVSS 6.5
CVE-2021-40839 WRITEUP HIGH
rencode < 1.0.6 - Denial of Service via Malformed Typecode Decoding
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
CVSS 7.5
CVE-2021-40964 WRITEUP MEDIUM
TinyFileManager <=2.4.6 - Path Traversal
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.
CVSS 6.5
CVE-2021-40964 WRITEUP MEDIUM
TinyFileManager <=2.4.6 - Path Traversal
A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.
CVSS 6.5
CVE-2021-40965 WRITEUP HIGH
TinyFileManager <= 2.4.6 - Cross-Site Request Forgery
A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.
CVSS 8.8
CVE-2021-40966 WRITEUP MEDIUM
TinyFileManager <= 2.4.6 - Stored Cross-Site Scripting via Malicious Filename Upload
A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.
CVSS 5.4
CVE-2021-40978 WRITEUP HIGH
mkdocs 1.2.2 - Path Traversal via Dev-Server Port 8000
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1
CVSS 7.5
CVE-2021-40978 WRITEUP HIGH
mkdocs 1.2.2 - Path Traversal via Dev-Server Port 8000
The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1
CVSS 7.5