Writeup Exploits

63,674 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-21738 WRITEUP MEDIUM
TensorFlow < 2.5.3 - Denial of Service via Integer Overflow in SparseCountSparseOutput
Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` can be made to crash a TensorFlow process by an integer overflow whose result is then used in a memory allocation. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS 6.5
CVE-2022-21739 WRITEUP MEDIUM
TensorFlow < 2.5.3 - NULL Pointer Dereference in QuantizedMaxPool
Tensorflow is an Open Source Machine Learning Framework. The implementation of `QuantizedMaxPool` has an undefined behavior where user controlled inputs can trigger a reference binding to null pointer. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS 6.5
CVE-2022-21740 WRITEUP HIGH
TensorFlow < 2.5.3 - Heap Overflow in SparseCountSparseOutput
Tensorflow is an Open Source Machine Learning Framework. The implementation of `SparseCountSparseOutput` is vulnerable to a heap overflow. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS 7.6
CVE-2022-21741 WRITEUP MEDIUM
TensorFlow < 2.5.3 - Denial of Service via Division by Zero in Depthwise Convolution
Tensorflow is an Open Source Machine Learning Framework. ### Impact An attacker can craft a TFLite model that would trigger a division by zero in the implementation of depthwise convolutions. The parameters of the convolution can be user controlled and are also used within a division operation to determine the size of the padding that needs to be added before applying the convolution. There is no check before this division that the divisor is strictly positive. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
CVSS 6.5
CVE-2022-21831 WRITEUP CRITICAL
Active Storage 5.2.0-5.2.6.2 - Code Injection via Image Processing Arguments
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
CVSS 9.8
CVE-2022-2153 WRITEUP MEDIUM
Linux Kernel < 5.18 - Denial of Service via KVM SynIC IRQ NULL Pointer Dereference
A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVSS 5.5
CVE-2022-22143 WRITEUP HIGH
convict <6.2.2 - Prototype Pollution
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
CVSS 7.5
CVE-2022-22296 WRITEUP MEDIUM
Hospital's Patient Records Management System 1.0 - Insecure Permissions via Manage User Endpoint
Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.
CVSS 5.3
CVE-2022-22828 WRITEUP HIGH
Synaman < 5.0 - Unauthenticated Unshared File Access via Base64-Encoded Filename
An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.
CVSS 7.5
CVE-2022-22845 WRITEUP CRITICAL
QXIP SIPCAPTURE homer-app < 1.4.28 - Use of Hard-coded JWT Secret Key
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.
CVSS 9.8
CVE-2022-22845 WRITEUP CRITICAL
QXIP SIPCAPTURE homer-app < 1.4.28 - Use of Hard-coded JWT Secret Key
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.
CVSS 9.8
CVE-2022-22850 WRITEUP MEDIUM
Hospital's Patient Records Management System 1.0 - Stored Cross-Site Scripting via Room Types Description Parameter
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_types.
CVSS 5.4
CVE-2022-22851 WRITEUP MEDIUM
Hospital's Patient Records Management System - Stored Cross-Site Scripting via Specialization Parameter
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the specialization parameter in doctors.php
CVSS 5.4
CVE-2022-22852 WRITEUP MEDIUM
Hospital's Patient Records Management System 1.0 - Stored Cross-Site Scripting via Room List Description Parameter
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodtester Hospital's Patient Records Management System 1.0 via the description parameter in room_list.
CVSS 5.4
CVE-2022-22916 WRITEUP CRITICAL
Zoneland O2oa - Remote Code Execution
O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.
CVSS 9.8
CVE-2022-2255 WRITEUP HIGH
mod_wsgi < 4.9.3 - Unauthenticated Header Spoofing via X-Client-IP
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
CVSS 7.5
CVE-2022-23055 WRITEUP
ERPNext 11.0.0-beta-13.0.2 - Missing Authorization in Chat Rooms
In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users.
CVE-2022-23082 WRITEUP HIGH
CureKit 1.0.1-1.1.3 - Path Traversal via isFileOutsideDir Input Sanitization Bypass
In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
CVSS 7.5
CVE-2022-23457 WRITEUP HIGH
OWASP Enterprise Security API < 2.3.0.0 - Path Traversal via Validator.getValidDirectoryPath
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
CVSS 7.5
CVE-2022-23476 WRITEUP HIGH
Nokogiri 1.13.8-1.13.9 - Denial of Service via Unchecked Return Value in XML::Reader#attribute_hash
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
CVSS 7.5
CVE-2022-23494 WRITEUP MEDIUM
TinyMCE < 5.10.7 and 6.0.0-6.3.1 - Cross-Site Scripting via Alert and Confirm Dialogs
tinymce is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicious HTML content. This can occur in plugins that use the alert or confirm dialogs, such as in the `image` plugin, which presents these dialogs when certain errors occur. The vulnerability allowed arbitrary JavaScript execution when an alert presented in the TinyMCE UI for the current user. This vulnerability has been patched in TinyMCE 5.10.7 and TinyMCE 6.3.1 by ensuring HTML sanitization was still performed after unwrapping invalid elements. Users are advised to upgrade to either 5.10.7 or 6.3.1. Users unable to upgrade may ensure the the `images_upload_handler` returns a valid value as per the images_upload_handler documentation.
CVSS 5.4
CVE-2022-23510 WRITEUP CRITICAL
cube.js 0.31.23 - Authenticated SQL Injection via /v1/sql-runner Endpoint
cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to 0.31.24 or to downgrade to 0.31.22. There are no known workarounds for this vulnerability.
CVSS 9.6
CVE-2022-23530 WRITEUP MEDIUM
GuardDog < 0.1.8 - Arbitrary File Write via Tarball Extraction
GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths.
CVSS 5.8
CVE-2022-23538 WRITEUP MEDIUM
sylabs scs-library-client >=1.4.0 <1.4.2 - Credential Leak via S3 Redirect
github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time.
CVSS 5.2
CVE-2022-23552 WRITEUP HIGH
Grafana 8.1-8.5.16 - Stored Cross-Site Scripting in GeoMap Plugin via SVG File
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
CVSS 7.3